method

csrf_meta_tags

v4.2.9 - Show latest stable - Class: ActionView::Helpers::CsrfHelper

csrf_meta_tags()

public

Returns meta tags “csrf-param” and “csrf-token” with the name of the cross-site request forgery protection parameter and token, respectively.

<head>
  <%= csrf_meta_tags %>
</head>

These are used to generate the dynamic forms that implement non-remote links with :method.

You don’t need to use these tags for regular forms as they generate their own hidden fields.

For AJAX requests other than GETs, extract the “csrf-token” from the meta-tag and send as the “X-CSRF-Token” HTTP header. If you are using jQuery with jquery-rails this happens automatically.

# File actionview/lib/action_view/helpers/csrf_helper.rb, line 20
      def csrf_meta_tags
        if protect_against_forgery?
          [
            tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
            tag('meta', :name => 'csrf-token', :content => form_authenticity_token)
          ].join("\n").html_safe
        end
      end

1Note

Ajax calls no longer whitelisted

gwshaw · Jul 24, 2013

As of Rails 3.0.4 and 2.3.11, Ajax calls are no longer whitelisted.

See: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/

csrf_meta_tags

1Note

Ajax calls no longer whitelisted

Related methods