instance method `verify_authenticity_token`

Ruby on Rails 4.1.16

Since v2.2.3

Available in: v2.2.3 v2.3.18 v3.0.20 v3.1.12 v3.2.22.5 v4.0.13 v4.1.16 v4.2.9 v5.2.8.1 v6.0.6 v6.1.7.10 v7.0.10 v7.1.6 v7.2.3 v8.0.4 v8.1.2

Compare with:

verify_authenticity_token()

The actual before_action that is used to verify the CSRF token. Don’t override this directly. Provide your own forgery protection strategy instead. If you override, you’ll disable same-origin ‘<script>` verification.

Lean on the protect_from_forgery declaration to mark which actions are due for same-origin request verification. If protect_from_forgery is enabled on an action, this before_action flags its after_action to verify that JavaScript responses are for XHR requests, ensuring they follow the browser’s same-origin policy.

Source

# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 192
      def verify_authenticity_token
        mark_for_same_origin_verification!

        if !verified_request?
          logger.warn "Can't verify CSRF token authenticity" if logger
          handle_unverified_request
        end
      end

Defined in actionpack/lib/action_controller/metal/request_forgery_protection.rb line 192 · View on GitHub · Improve this page · Find usages on GitHub

Defined in ActionController::RequestForgeryProtection

Signature