Module: EnhancedRequestForgeryProtection

Extended by:

ActiveSupport::Concern

Includes:

AbstractController::Helpers

Defined in:

lib/enhanced_request_forgery_protection.rb

Overview

A plugin to protect against Cross-Site Request Forgery.

Class variables

Because authenticity_token verification is a request filter one can’t pass variables to a verify_authenticity_token. But because EnhancedRequestForgeryProtection gets mixed into ActionController one can use class instance variables to pass information to verify_authenticity_token and hexdigest. EnhancedRequestForgeryProtection uses the following attributes:

authenticity_scope

The scope of actions that use compatible authenticity tokens. Defaults to the ActionController’s class name which means that verify_authenticity_token only validates actions of that controller. Override to broaden the scope. Setting the scope in 2 controllers to the same value makes their authenticity tokens compatible.

authenticity_window

The time window within which the form has to be submitted and verified. Defaults to 1 hour.

authenticity_flash_timed_out_msg

The message to passed to the session flash if the authenticity token arrives outside the authenticity window. Defaults to Form submission timed out. Please resubmit..

authenticity_flash_invalid_msg

The message to passed to the session flash if the authenticity_token doesn’t validate. Defaults to: Possible form data tampering. Please resubmit.

Defined Under Namespace

Modules: ClassMethods, InstanceMethods