protect_from_forgery(options = {}) public

Protect a controller’s actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a forged link from another site. This is done by embedding a token based on the session (which an attacker wouldn’t know) in all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller. Only <a href="/rails/HTML">HTML/JavaScript</a> requests are checked, so this will not protect your XML API (presumably you’ll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway.

You turn this on with the #protect_from_forgery method, which will perform the check and raise an ActionController::InvalidAuthenticityToken if the token doesn’t match what was expected. And it will add a _authenticity_token parameter to all forms that are automatically generated by Rails. You can customize the error message given through public/422.html.

Learn more about CSRF (Cross-Site Request Forgery) attacks:

Keep in mind, this is NOT a silver-bullet, plug ‘n’ play, warm security blanket for your rails application. There are a few guidelines you should follow:

If you need to construct a request yourself, but still want to take advantage of forgery protection, you can grab the authenticity_token using the form_authenticity_token helper method and make it part of the parameters yourself.


  class FooController < ApplicationController
    # uses the cookie session store (then you don't need a separate :secret)
    protect_from_forgery :except => :index

    # uses one of the other session stores that uses a session_id value.
    protect_from_forgery :secret => 'my-little-pony', :except => :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token

Valid Options:

  • :only/:except - passed to the before_filter call. Set which actions are verified.
  • :secret - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store.
  • :digest - Message digest used for hashing. Defaults to ‘SHA1’
Show source
Register or log in to add new notes.
May 12, 2009
2 thanks


Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>