Skipping CRRF or authentication checks by default RB-S1005
Security
Major
While skipping CSRF or authentication callbacks on certain methods in a controller, it is recommended to pass the method names explicitly using the only option instead if the except option.
This way you can ensure that these callbacks are skipped only for the method names passed and that there are no unintended security loopholes.
Bad practice
class PeopleController < ApplicationController
skip_before_action :verfiy_authenticity_token, except: [:index, :show]
# ...
end
Recommended
class PeopleController < ApplicationController
skip_before_action :verfiy_authenticity_token, only: [:index, :show]
# ...
end