API Guides

instance method protect_from_forgery

Ruby on Rails 2.2.3

Since v2.2.3

Available in: v2.2.3 v2.3.18 v3.0.20 v3.1.12 v3.2.22.5 v4.0.13 v4.1.16 v4.2.9 v5.2.8.1 v6.0.6 v6.1.7.10 v7.0.10 v7.1.6 v7.2.3 v8.0.4 v8.1.2 

protect_from_forgery(options = {})

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

Example:

class FooController < ApplicationController
  # uses the cookie session store (then you don't need a separate :secret)
  protect_from_forgery :except => :index

  # uses one of the other session stores that uses a session_id value.
  protect_from_forgery :secret => 'my-little-pony', :except => :index

  # you can disable csrf protection on controller-by-controller basis:
  skip_before_filter :verify_authenticity_token
end

Valid Options:

  • :only/:except - Passed to the before_filter call. Set which actions are verified.

  • :secret - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store.

  • :digest - Message digest used for hashing. Defaults to ‘SHA1’.

Parameters

options opt = {}
Source 
# File actionpack/lib/action_controller/request_forgery_protection.rb, line 76
      def protect_from_forgery(options = {})
        self.request_forgery_protection_token ||= :authenticity_token
        before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
        request_forgery_protection_options.update(options)
      end

Defined in actionpack/lib/action_controller/request_forgery_protection.rb line 76 · View on GitHub · Improve this page · Find usages on GitHub

Defined in ActionController::RequestForgeryProtection::ClassMethods

Type at least 2 characters to search.

↑↓ navigate · open · esc close