protect_from_forgery(options = {}) public

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

class FooController < ApplicationController
  protect_from_forgery except: :index

You can disable csrf protection on controller-by-controller basis:

skip_before_action :verify_authenticity_token

It can also be disabled for specific controller actions:

skip_before_action :verify_authenticity_token, except: [:create]

Valid Options:

  • :only/:except - Passed to the before_action call. Set which actions are verified.

  • :with - Set the method to handle unverified request.

Valid unverified request handling methods are:

  • :exception - Raises ActionController::InvalidAuthenticityToken exception.

  • :reset_session - Resets the session.

  • :null_session - Provides an empty session during request but doesn’t reset it completely. Used as default if :with option is not specified.

Show source
Register or log in to add new notes.
May 12, 2009
2 thanks


Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>