Rails protect_from_forgery


A feature in Rails that protects against CROSS-SITE-REQUEST-FORGERY attacks. This ensures that the request received is in fact coming from the session of the authorized user, To make  this happen protect_from_forgery will automatically include a security token(HIDDEN ID), calculated from the current session and the server-side secret, in all the forms and Ajax requests generated by Rails. The secret is not needed if we use cookie as session storage. If the security token doesn’t match what was expected, the session will be reset.  This prevents malicious forms on other sites or forms inserted with XSS from submitting to the Rails application.

In rails updated version, It added in ApplicationController.

class ApplicationController < ActionController::Base
         protect_from_forgery
end

if we want to disable CSRF protection for specific controller, We need to add

class XxxxxxController < ApplicationController
        skip_before_filter:verify_authenticity_token
end

whatever controllers we don’t want to be affected:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s