Reputation: 510
protect_from_forgery in Rails 6?
The protect_from_forgery method isn't included in my application controller with a default Rails 6 app, but there's the embedded ruby <%= csrf_meta_tags %> in the main application layout. Does this mean that the protect_from_forgery method has been abstracted and is no longer explicitly needed in the application controller?
I've bought the Pragmatic Programmer's Rails 6 book and the only thing I could find was "the csrf_meta_tags() method sets up all the behind-the-scenes data needed to prevent cross-site request forgery attacks".
Upvotes: 18
Views: 11422
Answers (1)
Reputation: 2086
For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit: https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
* Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController,
add it to ActionController::Base depending on
`config.action_controller.default_protect_from_forgery`. This configuration
defaults to false to support older versions which have removed it from their
ApplicationController, but is set to true for Rails 5.2.
In official docs: https://edgeguides.rubyonrails.org/configuring.html
config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
Upvotes: 26
Related Questions
- CSRF tokens to not match what is in session (Rails 4.1)
- Forging a Cross Site Request Forgery (CSRF) token
- Rails: How to implement protect_from_forgery in Rails API mode
- Correct use of protect_from_forgery in Rails app serving Web and API
- Turn on request forgery protection with or witout Rails's protect_from_forgery?
- Protect API with CSRF token or other authentication
- rails protect_from_forgery raises with exception
- Rails 3 protect_from_forgery not working correctly?
- CSRF Protection with HTTP GET requests in Rails
- Rails request forgery protection settings