Methods

Instance Public methods

protect_from_forgery(options = {})

Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.

class ApplicationController < ActionController::Base
  protect_from_forgery
end

class FooController < ApplicationController
  protect_from_forgery except: :index
end

You can disable forgery protection on a controller using skip_forgery_protection:

class BarController < ApplicationController
  skip_forgery_protection
end

Valid Options:

  • :only / :except - Only apply forgery protection to a subset of actions. For example only: [ :create, :create_all ].

  • :if / :unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.

  • :prepend - By default, the verification of the authentication token will be added at the position of the protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).

    If you need to add verification to the beginning of the callback chain, use prepend: true.

  • :with - Set the method to handle unverified request.

Built-in unverified request handling methods are:

  • :exception - Raises ActionController::InvalidAuthenticityToken exception.

  • :reset_session - Resets the session.

  • :null_session - Provides an empty session during request but doesnโ€™t reset it completely. Used as default if :with option is not specified.

You can also implement custom strategy classes for unverified request handling:

class CustomStrategy
  def initialize(controller)
    @controller = controller
  end

  def handle_unverified_request
    # Custom behaviour for unverfied request
  end
end

class ApplicationController < ActionController:x:Base
  protect_from_forgery with: CustomStrategy
end
๐Ÿ“ Source code 
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 158
      def protect_from_forgery(options = {})
        options = options.reverse_merge(prepend: false)

        self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
        self.request_forgery_protection_token ||= :authenticity_token
        before_action :verify_authenticity_token, options
        append_after_action :verify_same_origin_request
      end
๐Ÿ”Ž See on GitHub

skip_forgery_protection(options = {})

Turn off request forgery protection. This is a wrapper for:

skip_before_action :verify_authenticity_token

See skip_before_action for allowed options.

๐Ÿ“ Source code 
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 172
      def skip_forgery_protection(options = {})
        skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)
      end
๐Ÿ”Ž See on GitHub