Do not disable Rails CSRF protection on browser controllers
Browser-facing Rails controllers should keep forgery protection enabled with a safe strategy.
#Metadata
#Why it matters
Skipping CSRF verification or downgrading to `null_session` lets attackers replay cross-site requests against authenticated sessions.
#Remediation
Remove broad `skip_forgery_protection` usage, prefer `protect_from_forgery with: :exception`, and keep `verify_authenticity_token` enabled for state-changing browser actions.
#Repository path
The generated metadata points to critiq-rules/libs/rules/catalog/rules/ruby/ruby.security.rails-csrf-disabled.rule.yaml.