When skipping before_filters with security implications, a “whitelist” approach using only should be used instead of except. This ensures actions are protected by default, and unprotected only by exception.

Back to Warning Types