Is Rails' protect_from_forgery really useful?

About

Asked 25/11, 2009 at 14:40 Answered 25/11, 2009 at 14:52

Solved ruby-on-rails security protect-from-forgery

I'm asking this because I feel that it's making my life overly complicated when I start communicating with rails using ajax or flash.

I know it's nice to protect against CSRF, but couldn't I just check the referer or something instead?

Isologous answered 25/11, 2009 at 14:40 Comment(0)

Many users deactivate their referer, mostly not by choice.
But because they're behind a firewall that's blocking it.

Using protect from forgery is the only solution to protect you against CSRF.
But you can deactivate for any action you wish.

In your controller, you add :

skip_before_filter :verify_authenticity_token, :only => :create

This will deactive the token verification for the create action in the controller where you've added the filter.

Cervin answered 25/11, 2009 at 14:52 Comment(1)

Actually, the question was about is it really useful, not about how to turn it off so I don't think this answer should be accepted. – Helaine 28/6, 2013 at 21:10

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags