protect_from_forgery
protect_from_forgery(options = {})
public
Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
class ApplicationController < ActionController::Base protect_from_forgery end class FooController < ApplicationController protect_from_forgery except: :index end
You can disable forgery protection on controller by skipping the verification before_action:
skip_before_action :verify_authenticity_token
Valid Options:
-
:only/:except - Only apply forgery protection to a subset of actions. For example only: [ :create, :create_all ].
-
:if/:unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.
-
:prepend - By default, the verification of the authentication token will be added at the position of the protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
If you need to add verification to the beginning of the callback chain, use prepend: true.
-
:with - Set the method to handle unverified request.
Built-in unverified request handling methods are:
-
:exception - Raises ActionController::InvalidAuthenticityToken exception.
-
:reset_session - Resets the session.
-
:null_session - Provides an empty session during request but doesn’t reset it completely. Used as default if :with option is not specified.
You can also implement custom strategy classes for unverified request handling:
class CustomStrategy def initialize(controller) @controller = controller end def handle_unverified_request # Custom behaviour for unverfied request end end class ApplicationController < ActionController:x:Base protect_from_forgery with: CustomStrategy end
form_authenticity_token
Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:
<%= hidden_field_tag :authenticity_token, form_authenticity_token -%>