As of Cubicweb 3.32, there is a CSRF check on every controllers. However, the RQLIO one is a bit peculiar, as it is intended to be used by authenticated 3rd-parties, meaning that we can disable CSRF check because the RQLIO controllers does not rely on cookie authentication.