week 24 · 2026 · weekly challenge live now

Code review is a skill.
Practice it.

Build the instinct that catches vulnerabilities in review. Hands-on challenges in real production code.

Start today's challenge↵Browse all 207 →

207challenges

70learning articles

10+languages

weekly

+150 pts

mediumrubyCSRF (Cross-Site Request Forgery)

Firmware Update

Review the code for HeatWise, an IoT smart thermostat platform that allows users to manage their home heating devices through a web dashboard. The platform recently added a firmware update feature to push security patches and new features to connected thermostats. The development team implemented standard Rails patterns but may have overlooked some security configurations. Examine how state-changing operations are protected against cross-origin attacks.

1class ApplicationController < ActionController::Base

2 protect_from_forgery with: :exception

3 before_action :set_current_user

5 private

Open challenge↵

01how it works

Read the brief

A short scope statement: what the service does, what you're looking for, and any context that matters.

Review the code

Real world snippets - interfaces, handlers, services, scripts. Skim, then audit. The defect is on a single line.

Click the line

No multiple choice. You point at the bug. Right or wrong, you get an annotated explanation.

02this week's set

view all →

03by class

Web Security

XSS, CSRF, SSRF, open redirects, auth flaws.

explore →

Injection

SQL, command, LDAP, NoSQL, template injection.

explore →

Authentication

Tokens, password storage, session fixation, MFA.

explore →

Web3

Reentrancy, integer overflow, access control.

explore →

Mobile

iOS / Android secure storage, deep links, IPC.

explore →

API

REST, GraphQL, gRPC — auth and rate limiting.

explore →

“We dropped Code Review Lab into our security training rotation. Two weeks later our engineers were catching things in PR review we'd historically missed.”

L. Ivanova

App Sec Lead · Series-C fintech

Ready when you are.

Today's challenge takes about 15 minutes.

Start daily challenge ↵See pricing

loading…