Class Index [+]

Quicksearch

ActionController::RequestForgeryProtection

Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a forged link from another site, is done by embedding a token based on a random string stored in the session (which an attacker wouldn’t know) in all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller. Only HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you’ll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be idempotent anyway.

This is turned on with the protect_from_forgery method, which will check the token and raise an ActionController::InvalidAuthenticityToken if it doesn’t match what was expected. You can customize the error message in production by editing public/422.html. A call to this method in ApplicationController is generated by default in post-Rails 2.0 applications.

The token parameter is named authenticity_token by default. If you are generating an HTML form manually (without the use of Rails’ form_for, form_tag or other helpers), you have to include a hidden field named like that and set its value to what is returned by form_authenticity_token.

Request forgery protection is disabled by default in test environment. If you are upgrading from Rails 1.x, add this to config/environments/test.rb:

  # Disable request forgery protection in test environment
  config.action_controller.allow_forgery_protection = false

Learn more about CSRF (Cross-Site Request Forgery) attacks

Here are some resources:

Keep in mind, this is NOT a silver-bullet, plug ‘n’ play, warm security blanket for your rails application. There are a few guidelines you should follow:

Protected Instance Methods

form_authenticity_param() click to toggle source

The form’s authenticity parameter. Override to provide your own.

     # File lib/action_controller/metal/request_forgery_protection.rb, line 115
115:       def form_authenticity_param
116:         params[request_forgery_protection_token]
117:       end
form_authenticity_token() click to toggle source

Sets the token value for the current session.

     # File lib/action_controller/metal/request_forgery_protection.rb, line 110
110:       def form_authenticity_token
111:         session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
112:       end
protect_against_forgery?() click to toggle source
     # File lib/action_controller/metal/request_forgery_protection.rb, line 119
119:       def protect_against_forgery?
120:         allow_forgery_protection
121:       end
protect_from_forgery(options = {}) click to toggle source
    # File lib/action_controller/metal/request_forgery_protection.rb, line 89
89:       def protect_from_forgery(options = {})
90:         self.request_forgery_protection_token ||= :authenticity_token
91:         before_filter :verify_authenticity_token, options
92:       end
verified_request?() click to toggle source

Returns true or false if a request is verified. Checks:

  • is the format restricted? By default, only HTML requests are checked.

  • is it a GET request? Gets should be safe and idempotent

  • Does the form_authenticity_token match the given token value from the params?

     # File lib/action_controller/metal/request_forgery_protection.rb, line 104
104:       def verified_request?
105:         !protect_against_forgery? || request.forgery_whitelisted? ||
106:           form_authenticity_token == params[request_forgery_protection_token]
107:       end
verify_authenticity_token() click to toggle source

The actual before_filter that is used. Modify this to change how you handle unverified requests.

    # File lib/action_controller/metal/request_forgery_protection.rb, line 95
95:       def verify_authenticity_token
96:         verified_request? || raise(ActionController::InvalidAuthenticityToken)
97:       end

Disabled; run with --debug to generate this.

[Validate]

Generated with the Darkfish Rdoc Generator 1.1.6.