protect_from_forgery(options = {}) public

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

Example:

  class FooController < ApplicationController
    protect_from_forgery :except => :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token
  end

Valid Options:

  • :only/:except - Passed to the before_filter call. Set which actions are verified.
Show source
Register or log in to add new notes.
May 12, 2009
2 thanks

form_authenticity_token

Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>