Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Rails' protect_from_forgery really useful?

I'm asking this because I feel that it's making my life overly complicated when I start communicating with rails using ajax or flash.

I know it's nice to protect against CSRF, but couldn't I just check the referer or something instead?

like image 841
marcgg Avatar asked Nov 25 '09 14:11

marcgg


1 Answers

Many users deactivate their referer, mostly not by choice.
But because they're behind a firewall that's blocking it.

Using protect from forgery is the only solution to protect you against CSRF.
But you can deactivate for any action you wish.

In your controller, you add :

skip_before_filter :verify_authenticity_token, :only => :create

This will deactive the token verification for the create action in the controller where you've added the filter.

like image 145
Damien MATHIEU Avatar answered Oct 05 '22 09:10

Damien MATHIEU