The protect_from_forgery
method isn't included in my application controller with a default Rails 6 app, but there's the embedded ruby <%= csrf_meta_tags %>
in the main application layout. Does this mean that the protect_from_forgery
method has been abstracted and is no longer explicitly needed in the application controller?
I've bought the Pragmatic Programmer's Rails 6 book and the only thing I could find was "the csrf_meta_tags() method sets up all the behind-the-scenes data needed to prevent cross-site request forgery attacks".
Rails includes a built-in mechanism for preventing CSRF, protect_from_forgery , which is included by default in the application_controller. rb controller when generating new applications. This protect_from_forgery method leverages magic to ensure that your application is protected from hackers!
Briefly, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to spoof legitimate requests to your server, masquerading as an authenticated user. Rails protects against this kind of attack by generating unique tokens and validating their authenticity with each submission.
Rails CSRF Token The server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.
verify_authenticity_token() private. The actual before_action that is used to verify the CSRF token. Don't override this directly.
For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit: https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
* Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController,
add it to ActionController::Base depending on
`config.action_controller.default_protect_from_forgery`. This configuration
defaults to false to support older versions which have removed it from their
ApplicationController, but is set to true for Rails 5.2.
In official docs: https://edgeguides.rubyonrails.org/configuring.html
config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With