method

protect_from_forgery

v2.0.3 - Show latest stable - 1 note - Class: ActionController::RequestForgeryProtection::ClassMethods

protect_from_forgery(options = {}) public

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

Example:

  class FooController < ApplicationController
    # uses the cookie session store (then you don't need a separate :secret)
    protect_from_forgery :except => :index

    # uses one of the other session stores that uses a session_id value.
    protect_from_forgery :secret => 'my-little-pony', :except => :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token
  end

Valid Options:

:only/:except - passed to the before_filter call. Set which actions are verified.
:secret - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store.
:digest - Message digest used for hashing. Defaults to ‘SHA1’

Show source

# File actionpack/lib/action_controller/request_forgery_protection.rb, line 76
      def protect_from_forgery(options = {})
        self.request_forgery_protection_token ||= :authenticity_token
        before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
        request_forgery_protection_options.update(options)
      end

May 12, 2009

2 thanks

form_authenticity_token

Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>

protect_from_forgery

Related methods

form_authenticity_token