Module: ActionController::RequestForgeryProtection::ClassMethods

Defined in:: lib/action_controller/metal/request_forgery_protection.rb

Instance Method Summary collapse

#protect_from_forgery(options = {}) ⇒ Object

Turn on request forgery protection.

Instance Method Details

#protect_from_forgery(options = {}) ⇒ `Object`

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

Example:

class FooController < ApplicationController
  protect_from_forgery :except => :index

  # you can disable csrf protection on controller-by-controller basis:
  skip_before_filter :verify_authenticity_token
end

Valid Options:

:only/:except - Passed to the before_filter call. Set which actions are verified.

# File 'lib/action_controller/metal/request_forgery_protection.rb', line 81

def protect_from_forgery(options = {})
  self.request_forgery_protection_token ||= :authenticity_token
  before_filter :verify_authenticity_token, options
end