RSpec
Ruby on Rails
Ruby
method
protect_from_forgery
v2.0.3 -
Show latest stable
-
1 note -
Class: ActionController::RequestForgeryProtection::ClassMethods
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3 (0)
- 2.1.0 (0)
- 2.2.1 (0)
- 2.3.8 (-19)
- 3.0.0 (0)
- 3.0.9 (4)
- 3.1.0 (0)
- 3.2.1 (0)
- 3.2.8 (0)
- 3.2.13 (0)
- 4.0.2 (16)
- 4.1.8 (-1)
- 4.2.1 (-1)
- 4.2.7 (0)
- 4.2.9 (0)
- 5.0.0.1 (26)
- 5.1.7 (0)
- 5.2.3 (0)
- 6.0.0 (0)
- 6.1.3.1 (0)
- 6.1.7.7 (0)
- 7.0.0 (16)
- 7.1.3.2 (38)
- 7.1.3.4 (0)
- 7.2.3 (0)
- 8.0.0 (0)
- 8.1.1 (0)
- What's this?
-
is_storage_strategy?
(>= v7.1.3.2)
-
protect_from_forgery
-
protection_method_class
(>= v4.0.2)
-
skip_forgery_protection
(>= v5.2.3)
-
storage_strategy
(>= v7.1.3.2)
= private
= protected
protect_from_forgery(options = {})
public
Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
Example:
class FooController < ApplicationController # uses the cookie session store (then you don't need a separate :secret) protect_from_forgery :except => :index # uses one of the other session stores that uses a session_id value. protect_from_forgery :secret => 'my-little-pony', :except => :index # you can disable csrf protection on controller-by-controller basis: skip_before_filter :verify_authenticity_token end
Valid Options:
- :only/:except - passed to the before_filter call. Set which actions are verified.
- :secret - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store.
- :digest - Message digest used for hashing. Defaults to ‘SHA1’
Register or
log in
to add new notes.
hosiawak -
May 12, 2009
hosiawak -
May 12, 2009
2 thanks
form_authenticity_token
Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:
<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>
