verify_authenticity_token() Instance Protected methods The actual before_action that is used to verify the CSRF token. Don't override this directly. Provide your own forgery protection strategy instead. If you override, you'll disable same-origin `<script>` verification. Lean on the protect_from_forgery declaration to mark which actions are due for same-origin request verification. If protect_from_forgery is enabled on an action, this before_action flags its after_action to v

verified_request?() Instance Protected methods Returns true or false if a request is verified. Checks: is it a GET or HEAD request? Gets should be safe and idempotent Does the #form_authenticity_token match the given token value from the params? Does the X-CSRF-Token header match the #form_authenticity_token

protect_against_forgery?() Instance Protected methods Checks if the controller allows forgery protection.

non_xhr_javascript_response?() Instance Protected methods Check for cross-origin JavaScript responses.

marked_for_same_origin_verification?() Instance Protected methods If the `verify_authenticity_token` before_action ran, verify that JavaScript responses are only served to same-origin GET requests.

mark_for_same_origin_verification!() Instance Protected methods GET requests are checked for cross-origin JavaScript after rendering.

handle_unverified_request() Instance Protected methods

form_authenticity_token() Instance Protected methods Sets the token value for the current session.

form_authenticity_param() Instance Protected methods The form's authenticity parameter. Override to provide your own.

handle_unverified_request() Instance Public methods