method

protect_from_forgery

v4.2.1 - Show latest stable - 1 note - Class: ActionController::RequestForgeryProtection::ClassMethods

protect_from_forgery(options = {}) public

Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.

class ApplicationController < ActionController::Base
  protect_from_forgery
end

class FooController < ApplicationController
  protect_from_forgery except: :index

You can disable CSRF protection on controller by skipping the verification before_action:

skip_before_action :verify_authenticity_token

Valid Options:

:only/:except - Passed to the before_action call. Set which actions are verified.
:with - Set the method to handle unverified request.

Valid unverified request handling methods are:

:exception - Raises ActionController::InvalidAuthenticityToken exception.
:reset_session - Resets the session.
:null_session - Provides an empty session during request but doesn’t reset it completely. Used as default if :with option is not specified.

Show source

# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 102
      def protect_from_forgery(options = {})
        self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
        self.request_forgery_protection_token ||= :authenticity_token
        prepend_before_action :verify_authenticity_token, options
        append_after_action :verify_same_origin_request
      end

May 12, 2009

2 thanks

form_authenticity_token

Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>

protect_from_forgery

Related methods

form_authenticity_token