- Extended by:
- Defined in:
It's important to remember that XML or JSON requests are also affected and if you're building an API you'll need something like:
class ApplicationController < ActionController::Base protect_from_forgery skip_before_action :verify_authenticity_token, if: :json_request? protected def json_request? request.format.json? end end
CSRF protection is turned on with the
protect_from_forgery method, which checks the token and resets the session if it doesn't match what was expected. A call to this method is generated for new Rails applications by default.
The token parameter is named
authenticity_token by default. The name and value of this token must be added to every layout that renders forms by including
csrf_meta_tags in the html
Learn more about CSRF attacks and securing your application in the Ruby on Rails Security Guide.
Defined Under Namespace
Modules: ClassMethods, ProtectionMethods
Constants included from ActiveSupport::Callbacks
Methods included from ActiveSupport::Concern
append_features, extended, included