Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
class ApplicationController < ActionController::Base protect_from_forgery end class FooController < ApplicationController protect_from_forgery except: :index
You can disable CSRF protection on controller by skipping the verification before_action:
skip_before_action :verify_authenticity_token
Valid Options:
:only/:except
- Passed to the before_action
call. Set which actions are verified.
:with
- Set the method to handle unverified request.
Valid unverified request handling methods are:
:exception
- Raises ActionController::InvalidAuthenticityToken exception.
:reset_session
- Resets the session.
:null_session
- Provides an empty session during request but doesn't reset it completely. Used as default if :with
option is not specified.
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 102 def protect_from_forgery(options = {}) self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token prepend_before_action :verify_authenticity_token, options append_after_action :verify_same_origin_request end
© 2004–2017 David Heinemeier Hansson
Licensed under the MIT License.