Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

protect_from_forgery in Rails 6?

The protect_from_forgery method isn't included in my application controller with a default Rails 6 app, but there's the embedded ruby <%= csrf_meta_tags %> in the main application layout. Does this mean that the protect_from_forgery method has been abstracted and is no longer explicitly needed in the application controller?

I've bought the Pragmatic Programmer's Rails 6 book and the only thing I could find was "the csrf_meta_tags() method sets up all the behind-the-scenes data needed to prevent cross-site request forgery attacks".

like image 372
greenie-beans Avatar asked Apr 26 '19 02:04

greenie-beans


People also ask

What is Rails Protect_from_forgery?

Rails includes a built-in mechanism for preventing CSRF, protect_from_forgery , which is included by default in the application_controller. rb controller when generating new applications. This protect_from_forgery method leverages magic to ensure that your application is protected from hackers!

How does Rails prevent CSRF?

Briefly, Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user to spoof legitimate requests to your server, masquerading as an authenticated user. Rails protects against this kind of attack by generating unique tokens and validating their authenticity with each submission.

Where does Rails store CSRF token?

Rails CSRF Token The server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.

What is Verify_authenticity_token?

verify_authenticity_token() private. The actual before_action that is used to verify the CSRF token. Don't override this directly.


1 Answers

For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit: https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55


*   Protect from forgery by default

    Rather than protecting from forgery in the generated ApplicationController,
    add it to ActionController::Base depending on
    `config.action_controller.default_protect_from_forgery`. This configuration
    defaults to false to support older versions which have removed it from their
    ApplicationController, but is set to true for Rails 5.2.

In official docs: https://edgeguides.rubyonrails.org/configuring.html

config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
like image 62
nuaky Avatar answered Oct 10 '22 21:10

nuaky