Menu
The CSRF prevention built in to Rails is causing some problems for some automated load testing we are doing, and I want to turn it off for the duration of the process. How do I do this?
824
To disable CSRF protection on all routes. So navigate to app\Http\Middleware and open VerifyCsrfToken. php file. Then update the routes, which you want to disable CSRF protection.
Disable using security configuration code The spring boot security application allows to configure the security details in a customized class that extends WebSecurityConfigurerAdapter class. The CSRF feature can be disabled using the code “ http. csrf(). disable ()”.
Briefly, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to spoof legitimate requests to your server, masquerading as an authenticated user. Rails protects against this kind of attack by generating unique tokens and validating their authenticity with each submission.
The real csrf token is stored in the session like so: session[:_csrf_token]. If it is does not exist already, it is generated using a Secure Random function, and stored base64 encoded. As it is binary data, the token is then base64 decoded before returning to the calling function.
I love simple questions with clear answers.
#I go in application.rb
self.allow_forgery_protection = false
If you want to do this for testing only you can move that into one of the environment files (obviously, you'll be touching Application then rather than self). You could also write something like:
#I still go in application.rb
self.allow_forgery_protection = false unless ENV["RAILS_ENV"] == "production"
See here for details. (Continuing Rails' wonderful tradition of having documentation of core features in 2 year old blog posts, which were distilled from commit logs.)
80
In Rails 3, remove the protect_from_forgery command in app/controllers/application_controller.rb
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
