Reputation: 4566
When to skip verify_authenticity_token
Why would people skip the verification and increase the security vulnerability of their app? Is it beneficial to disable it on pages that have only GET requests? Thanks in advance.
Upvotes: 11
Views: 14094
Answers (2)
Reputation:
CRSF check is already skipped for GET request in rails
http://guides.rubyonrails.org/security.html
3.1 CSRF Countermeasures — First, as is required by the W3C, use GET and POST appropriately. Secondly, a security token in non-GET requests will protect your application from CSRF.
You can see the method itself as well.
.... Also, GET requests are not protected as these should be idempotent. ....
verified_request?()
Returns true or false if a request is verified. Checks:
is it a GET request? Gets should be safe and idempotent
Upvotes: 5
Reputation: 2918
If you have cross domain application you could have errors with authtoken verifying and you can disable it, but of course your application won't be secure. In rails 3 there are special methods for cross domain solution in out of box
Upvotes: 2
Related Questions
- Understanding the Rails Authenticity Token
- rails skip_before_filter :verify_authenticity_token not working
- how to generate AuthenticityToken on rails
- Rails 4 Authenticity Token
- API Token authentication: Good practices
- Rails validation vs authorization
- Work with authenticity token? Or disable it?
- Rails - Work Around Authenticity Token
- How can I include the authenticity_token without using form_for?
- In Rails, do you need to use form_authenticity_token if you're already checking if a user is logged in?