It’s important to remember that XML or JSON requests are also affected and if you’re building an API you’ll need something like:
class ApplicationController < ActionController::Base protect_from_forgery skip_before_action :verify_authenticity_token, if: :json_request? protected def json_request? request.format.json? end end
CSRF protection is turned on with the protect_from_forgery method, which checks the token and resets the session if it doesn’t match what was expected. A call to this method is generated for new Rails applications by default.
The token parameter is named authenticity_token by default. The name and value of this token must be added to every layout that renders forms by including csrf_meta_tags in the HTML head.
Learn more about CSRF attacks and securing your application in the Ruby on Rails Security Guide.
AUTHENTICITY_TOKEN_LENGTH = 32