codeigniter4/framework is vulnerable to cross-site request forgery. When auto-routing is enabled, the library checks the request method in the controller method before processing. When auto-routing is disabled, avoid using $routes->add()
and instead use HTTP verbs in routes, allowing an attacker to bypass the CSRF protection mechanism.