Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

protect_from_forgery in Rails 6?

Tags:

ruby

ruby-on-rails

csrf

csrf-token

The protect_from_forgery method isn't included in my application controller with a default Rails 6 app, but there's the embedded ruby <%= csrf_meta_tags %> in the main application layout. Does this mean that the protect_from_forgery method has been abstracted and is no longer explicitly needed in the application controller?

I've bought the Pragmatic Programmer's Rails 6 book and the only thing I could find was "the csrf_meta_tags() method sets up all the behind-the-scenes data needed to prevent cross-site request forgery attacks".

like image 372
greenie-beans Avatar asked Apr 26 '19 02:04

greenie-beans

People also ask

What is Rails Protect_from_forgery?

Rails includes a built-in mechanism for preventing CSRF, protect_from_forgery , which is included by default in the application_controller. rb controller when generating new applications. This protect_from_forgery method leverages magic to ensure that your application is protected from hackers!

How does Rails prevent CSRF?

Briefly, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to spoof legitimate requests to your server, masquerading as an authenticated user. Rails protects against this kind of attack by generating unique tokens and validating their authenticity with each submission.

Where does Rails store CSRF token?

Rails CSRF Token The server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.

What is Verify_authenticity_token?

verify_authenticity_token() private. The actual before_action that is used to verify the CSRF token. Don't override this directly.

1 Answers

For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit: https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55


*   Protect from forgery by default

    Rather than protecting from forgery in the generated ApplicationController,
    add it to ActionController::Base depending on
    `config.action_controller.default_protect_from_forgery`. This configuration
    defaults to false to support older versions which have removed it from their
    ApplicationController, but is set to true for Rails 5.2.

In official docs: https://edgeguides.rubyonrails.org/configuring.html

config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
like image 62
nuaky Avatar answered Oct 10 '22 21:10

nuaky
Sign in to Comment

Related questions

How to find out which Ruby version an existing Rails project is based on?
Ruby expression evaluation: whitespace matters?
Is there any reporting tool or a gem in Ruby on Rails
How to send CORS headers with Devise if user not authorized (401 response)
What are these numbers in Goto Anything of Sublime Text 2
Create new Table in ruby on rails
Rails 5: How Do I Set Up a Merge Tool to use for rails app:update?
Sproutcore or Cappuccino for Ruby-on-rails?
rails Select Form Tag - How to add a default "All" option?
Ruby Feature Switches / Feature Flippers
rspec & devise test helpers
Factory Girl failing Rspec validation tests
What does the .rewind method do on a Tempfile in ruby?
How to specify a Rails 3 scope.limit - with an offset?
How do I validate a non-model form in Rails 3?
rescuing from Mysql2::Error
Headless gem: webkit_server: cannot connect to X server
Is there a way to do an early exit or "return" from a view in Rails?
Rails - Test validation of enum fields
Why does the CSRF token in Rails not prevent multiple tabs from working properly?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!