EnhancedRequestForgeryProtection

A plugin to protect against Cross-Site Request Forgery. From en.wikipedia.org/wiki/Crsf:

Cross-site request forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

Prevention

For the web site, switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent these attacks. Use RequestForgeryProtection to include a secret, user-specific token in forms that is verified in addition to the cookie.

EnhancedRequestForgeryProtection extends Rails’ RequestForgeryProtection with scopes and time windows. By default authentication tokens are scoped to the controller, but can be arbitrarily defined. The default time window is 1 hour. Form submissions that come in outside the time window will be rejected. Scopes and time windows are useful when you want to protect certain areas more tightly then others. For example you might want to use a 15 minute time window for all actions that modify the user’s account.

Requests that fail authentication are redirected back to the referring URL. Typically this will be the page where the form originated. The user will receive a new authentication token and can resubmit the form. If it is no referring URL then the response will be Unprocessable Entity (HTTP code 422) just like the stock RequestForgeryProtection.

Contributing to EnhancedRequestForgeryProtection

  • Check out the latest master to make sure the feature hasn’t been implemented or the bug hasn’t been fixed yet

  • Check out the issue tracker to make sure someone already hasn’t requested it and/or contributed it

  • Fork the project

  • Start a feature/bugfix branch

  • Commit and push until you are happy with your contribution

  • Make sure to add tests for it. This is important so I don’t break it in a future version unintentionally.

  • Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.

Copyright © 2007 Bart Teeuwisse. See LICENSE.txt for further details.