protect_from_forgery

protect_from_forgery(options = {})

Instance Public methods

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

class ApplicationController < ActionController::Base
  protect_from_forgery
end

class FooController < ApplicationController
  protect_from_forgery except: :index

You can disable CSRF protection on controller by skipping the verification before_action:

skip_before_action :verify_authenticity_token

Valid Options:

:only/:except - Passed to the before_action call. Set which actions are verified.
:with - Set the method to handle unverified request.

Valid unverified request handling methods are:

:exception - Raises ActionController::InvalidAuthenticityToken exception.
:reset_session - Resets the session.
:null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.

Links:

https://github.com/rails/rails/blob/4f4fdd643f9d19fbbeeec3ac77674f791c9beffa/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L97

doc_ruby_on_rails

2015-06-20 00:00:00

Comments