This is turned on with the protect_from_forgery method, which will check the token and raise an ActionController::InvalidAuthenticityToken if it doesn’t match what was expected. You can customize the error message in production by editing public/422.html. A call to this method in ApplicationController is generated by default in post-Rails 2.0 applications.
The token parameter is named authenticity_token by default. If you are generating an HTML form manually (without the use of Rails' form_for, form_tag or other helpers), you have to include a hidden field named like that and set its value to what is returned by form_authenticity_token.
# Disable request forgery protection in test environment config.action_controller.allow_forgery_protection = false
Learn more about CSRF (Cross-Site Request Forgery) attacks
Here are some resources:
Keep in mind, this is NOT a silver-bullet, plug ‘n’ play, warm security blanket for your rails application. There are a few guidelines you should follow:
- Keep your GET requests safe and idempotent. More reading material:
- Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look for "Expires: at end of session"
…but you’re probably looking for ActionController::RequestForgeryProtection::ClassMethods