Menu
Is there a way to disable CSRF for all controllers, or does it have to be disabled on a per-controller basis? I am using ruby on rails as an API only and do not need any sort of CSRF as the requests aren't anywhere near session based. I'd like to disable just for JSON requests.
I believe this might work, but am unsure
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery
skip_before_action :verify_authenticity_token, if: :json_request?
#Checks format for json
protected
def json_request?
request.format.json?
end
end
700
If you take a look at the file app/Http/Middleware/VerifyCsrfToken. php , you will see it gives you the option to add URLs that should be exempt from CSRF verification. If you want to disable it entirely, you can find it in the Middleware group named web in app/Http/Kernel.
To disable CSRF protection on all routes. So navigate to app\Http\Middleware and open VerifyCsrfToken. php file. Then update the routes, which you want to disable CSRF protection.
If our stateless API uses token-based authentication, such as JWT, we don't need CSRF protection, and we must disable it as we saw earlier. However, if our stateless API uses a session cookie authentication, we need to enable CSRF protection as we'll see next.
Add a new middleware layer php . Update the $middlewareGroups property, and add a middle entry for 'payment'. It can be exactly the same as web , but without the VerifyCsrfToken line. Now whenever you add new routes that need to be excluded from the CSRF Token check, add them to the routes/payment.
As with many things in Rails, disabling something in a base controller has the effect of disabling it in all those derived from it. To turn off CSRF completely, disable it in ApplicationController:
skip_forgery_protection
This is an alias for:
skip_before_action :verify_authenticity_token
The skip_before_action method does have options to customize how it's applied, so you can narrow down the focus on this:
skip_before_action :verify_authenticity_token, unless: csrf_required?
Where as you've shown you can define a method to restrict it. If that method returns true the action is executed as usual, otherwise it's skipped.
When writing an API it's common to have something like API::BaseController as an intermediate controller so you can separate session-based activity from API-based activity. For example:
class API::BaseController < ApplicationController
skip_before_action :verify_authenticity_token
end
Then derive all your API-specific controllers from that one. Even in an application that's predominantly API driven, you may need a conventional "signup" page with a form submission on it, or an admin area with the ability to edit and update things.
One option I've discovered is to disable CSRF protection if an API key is supplied. For example:
def csrf_required?
params[:api_key].blank?
end
That means you can still accept traditional "form-encoded" or XML API calls. If your API key is supplied via headers instead, as some require, you can adapt that to test against request accordingly.
158
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
