Module: ActionController::RequestForgeryProtection::ClassMethods

Defined in:

lib/action_controller/metal/request_forgery_protection.rb

Instance Method Summary

• #protect_from_forgery(options = {}) ⇒ Object

  Turn on request forgery protection.

Instance Method Details

#protect_from_forgery(options = {}) ⇒ Object

Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.

class ApplicationController < ActionController::Base
protect_from_forgery
end

class FooController < ApplicationController
protect_from_forgery except: :index

You can disable CSRF protection on controller by skipping the verification before_action: skip_before_action :verify_authenticity_token

Valid Options:

• :only/:except - Passed to the before_action call. Set which actions are verified.
• :with - Set the method to handle unverified request.

Valid unverified request handling methods are:

• :exception - Raises ActionController::InvalidAuthenticityToken exception.
• :reset_session - Resets the session.
• :null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.

# File 'lib/action_controller/metal/request_forgery_protection.rb', line 102

def protect_from_forgery(options = {})
  self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
  self.request_forgery_protection_token ||= :authenticity_token
  prepend_before_action :verify_authenticity_token, options
  append_after_action :verify_same_origin_request
end