@Momenbasel identified that GitHub Jobs didn’t implement CSRF protection for POST HTTP requests. This was not exploitable in typical scenarios, as the application does not use sessions for authenticating users. However, to follow best practices, we implemented CSRF protection by storing a CSRF token in the session and transmitting this along with non-GET/HEAD HTTP requests.