method

protect_from_forgery

Ruby on Rails latest stable (v2.3.4) - 1 note - Class: ActionController::RequestForgeryProtection::ClassMethods

v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
2.0.0 (0)
2.0.1 (0)
2.0.2 (5)
2.0.3 (-38)
2.1.0 (0)
2.2.1 (0)
2.3.2 (-9)
2.3.4 (0)
What's this?

protect_from_forgery(options = {}) public

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

Example:

  class FooController < ApplicationController
    protect_from_forgery :except => :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token
  end

Valid Options:

:only/:except - Passed to the before_filter call. Set which actions are verified.

Show source

# File actionpack/lib/action_controller/request_forgery_protection.rb, line 67
      def protect_from_forgery(options = {})
        self.request_forgery_protection_token ||= :authenticity_token
        before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
        if options[:secret] || options[:digest]
          ActiveSupport::Deprecation.warn("protect_from_forgery only takes :only and :except options now. :digest and :secret have no effect", caller)
        end
      end

May 12, 2009

1 thank

form_authenticity_token

Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

   <%= hidden_field_tag :authenticity_token, form_authenticity_token -%>

protect_from_forgery

Related methods

form_authenticity_token