Following The Rails getting Started Guide and getting a ActionController::InvalidAuthenticityToken

Question

I'm following the rails getting started guide here: http://guides.rubyonrails.org/getting_started.html

I'm on the step 'Creating posts', where I setup my new view to submit a post to my controller. When I click the submit button in the view I get the error ActionController::InvalidAuthenticityToken

I was able to get past the error by commenting out this line in the ApplicationController

protect_from_forgery with: :exception

However I'm not sure if I should be doing that. Is that fine or should I dig deeper into the problem? What does that line do?

Content of: /views/layouts/application.html.erb

<!DOCTYPE html>
<html>
<head>
  <title>Budget</title>
  <%= stylesheet_link_tag    "application", media: "all", "data-turbolinks-track" => true %>
  <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
  <%= csrf_meta_tags %>
</head>
<body>

<%= yield %>

</body>
</html>

Answer 1

No, you shouldn't be commenting that line in your ApplicationController. It is meant for the security of your application at production level.

From the docs: Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

protect_from_forgery is a feature in Rails that protects against Cross-site Request Forgery (CSRF) attacks. This feature makes all generated forms have a hidden id field. This id field must match the stored id or the form submission is not accepted. This prevents malicious forms on other sites or forms inserted with XSS from submitting to the Rails application. Shamelessly copied from here.

And, in last but not the least. Here is the link explaining why Cross-Site Request Forgery (CSRF) should be taken seriously, and why it is important.