Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I change the meta tags name of 'csrf-param' and 'csrf-token' in Rails 4?

Tags:

ruby-on-rails

ruby-on-rails-4

csrf

As the title states, I wonder how I can change the meta tags name of csrf-param and csrf-token?

<meta content="authenticity_token" name="csrf-param" />
<meta content="123456" name="csrf-token" />

I'm asking this, because for safety reason I want to hide, which technology I'm using to power my website. The Chrome plugin Wappalyzer uses this meta tags as indicators for Ruby on Rails.

enter image description here

like image 374
Robin Avatar asked Sep 26 '14 20:09

Robin

People also ask

What is meta name CSRF token?

CSRF tokens normally go in a form as hidden form fields. Putting them in a meta tag only makes sense if you are using JavaScript. JavaScript could read the tokens from the meta tag and post them to an action.

How does CSRF token work in Rails?

Rails CSRF TokenThe server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.

How does the authenticity token work in Rails?

When the user submits the form, Rails looks for the authenticity_token , compares it to the one stored in the session, and if they match the request is allowed to continue. Since the authenticity token is stored in the session, the client cannot know its value.

How does rails prevent CSRF?

Briefly, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to spoof legitimate requests to your server, masquerading as an authenticated user. Rails protects against this kind of attack by generating unique tokens and validating their authenticity with each submission.

1 Answers

Create an initializer called change_csrf_name.rb

inside this file you can change the :name => 'xyz'. beware that it might break some built in functionality you were not expecting.

module ActionView
  module Helpers
    module CsrfHelper
      def csrf_meta_tags
        if protect_against_forgery?
          [
            tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
            tag('meta', :name => 'csrf-token', :content => form_authenticity_token)
          ].join("\n").html_safe
        end
      end
    end
  end
end
like image 66
Blair Anderson Avatar answered Oct 11 '22 13:10

Blair Anderson
Sign in to Comment

Related questions

Update of Ruby 2.0.0-p247 to Ruby-2.0.0-p353. Error to install Rails 4.0.0. on GNU/Linux
How can I prevent my Rails query from maxing out memory
Textarea Not Sending Value through Form
Difference between attributes and base_attributes in Ruby?
Post multiple pictures with Koala::Facebook::GraphAPIMethods#put_connections
Rspec test requires sleep to work
In Rails, what is the inverse of update_attributes?
Segmentation faults when running rails on ruby 1.9.3
Stubbing a helper method from inside helper specs
Error - uninitialized constant Project::Ticket
Ruby on Rails PostGIS - insert a polygon record into DB
history.back(-1) without refreshing the last page?
Is it possible to deploy a rails project from windows to linux server with postgres?
Carrierwave to store the full path
Update ActiveRecord without id column
Translations of column in same table
Rails 4.1.2 - to_param escapes slashes (and breaks app)
Using thin for concurrent requests
Upload File parameter not coming through to controller
Rails convention for table with just one row

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!