It's important to remember that XML or JSON requests are also affected and if you're building an API you'll need something like:
class ApplicationController < ActionController::Base protect_from_forgery skip_before_action :verify_authenticity_token, if: :json_request? protected def json_request? request.format.json? end end
CSRF protection is turned on with the
method, which checks the token and resets the session if it doesn't
match what was expected. A call to this method is generated for new Rails
applications by default.
The token parameter is named
authenticity_token by default.
The name and value of this token must be added to every layout that renders
forms by including
csrf_meta_tags in the HTML
Learn more about CSRF attacks and securing your application in the Ruby on Rails Security Guide.
- MODULE ActionController::RequestForgeryProtection::ClassMethods
- MODULE ActionController::RequestForgeryProtection::ProtectionMethods
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 208 def handle_unverified_request forgery_protection_strategy.new(self).handle_unverified_request end
The actual before_action that is used to verify the CSRF token. Don't override this directly. Provide your own forgery protection strategy instead. If you override, you'll disable same-origin `<script>` verification.
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 197 def verify_authenticity_token mark_for_same_origin_verification! if !verified_request? if logger && log_warning_on_csrf_failure logger.warn "Can't verify CSRF token authenticity" end handle_unverified_request end end