over 8 years ago
The first concern for every application is its security, so rails by default provides a method protect_from_forgery, which is always present by default in your application, whenever you create a new application. i.e.
So whenever you create a form in your rails application, in a hidden field, it always has a token, which gets sent by default so that, the rails application recognizes that the request has come from the same application. This protect_from_forgery verifies all requests except the GET and HEAD requests. Here we will discuss what options are available in this:
1. Completely skipping:
We can completely skip the protect_from_forgery, if our application is purely api based and we don't want any checks for forgery. It can be done by adding this line of code.
2. Customizing for specific actions:
Like all the other rails filters, it also supports :only/:except options, so you can add the your methods in these blocks:
class ApplicationController < ActionController::Baseprotect_from_forgery except: [:login, :signup]## orprotect_from_forgery only: [:edit, :show]end
class ApplicationController < ActionController::Base
protect_from_forgery except: [:login, :signup]
## or
protect_from_forgery only: [:edit, :show]
end
3. Providing blocks/conditions:
It supports :if/:unless options too, so you can provide conditions here, regarding when you want to protect_from_forgery to work or not.
4. :with
It is used to set the method to handle unverified request.
5. There are few methods available to handle the unverified requests, which are:
a) exception: It is present by default with the rails application and raises ActionController::InvalidAuthenticityToken exception.
b) reset_session: It resets all the available sessions.
c) null_session: It provides an empty session during request but doesn't reset it. It is used as default when :with option is not specified.
0 Comment(s)