Namespace
Methods
F
H
I
P
V
Class Public methods
included(base)
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 6
def self.included(base)
  base.class_eval do
    helper_method :form_authenticity_token
    helper_method :protect_against_forgery?
  end
  base.extend(ClassMethods)
end
Instance Protected methods
form_authenticity_param()
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 98
def form_authenticity_param
  params[request_forgery_protection_token]
end
form_authenticity_token()

Sets the token value for the current session. Pass a :secret option in protect_from_forgeryto add a custom salt to the hash.

# File actionpack/lib/action_controller/request_forgery_protection.rb, line 108
def form_authenticity_token
  session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
end
handle_unverified_request()
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 82
def handle_unverified_request
  reset_session
end
protect_against_forgery?()
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 112
def protect_against_forgery?
  allow_forgery_protection && request_forgery_protection_token
end
verifiable_request_format?()
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 102
def verifiable_request_format?
  !request.content_type.nil? && request.content_type.verify_request?
end
verified_request?()

Returns true or false if a request is verified. Checks:

  • is the format restricted? By default, only HTML requests are checked.

  • is it a GET request? Gets should be safe and idempotent

  • Does the #form_authenticity_token match the given token value from the params?

# File actionpack/lib/action_controller/request_forgery_protection.rb, line 91
def verified_request?
  !protect_against_forgery?                            ||
    request.get?                                       ||
    form_authenticity_token == form_authenticity_param ||
    form_authenticity_token == request.headers['X-CSRF-Token']
end
verify_authenticity_token()

The actual before_filter that is used. Modify this to change how you handle unverified requests.

# File actionpack/lib/action_controller/request_forgery_protection.rb, line 78
def verify_authenticity_token
  verified_request? || handle_unverified_request
end