Login/Register
protect_from_forgery in Rails 6?
Asked Answered
Solved ruby-on-railsrubycsrfcsrf-token
F

1

18

The protect_from_forgery method isn't included in my application controller with a default Rails 6 app, but there's the embedded ruby <%= csrf_meta_tags %> in the main application layout. Does this mean that the protect_from_forgery method has been abstracted and is no longer explicitly needed in the application controller?

I've bought the Pragmatic Programmer's Rails 6 book and the only thing I could find was "the csrf_meta_tags() method sets up all the behind-the-scenes data needed to prevent cross-site request forgery attacks".

Formalism answered 26/4, 2019 at 2:52 Comment(0)
B
26

For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit: https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55


*   Protect from forgery by default

    Rather than protecting from forgery in the generated ApplicationController,
    add it to ActionController::Base depending on
    `config.action_controller.default_protect_from_forgery`. This configuration
    defaults to false to support older versions which have removed it from their
    ApplicationController, but is set to true for Rails 5.2.

In official docs: https://edgeguides.rubyonrails.org/configuring.html

config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
Brentonbrentt answered 26/4, 2019 at 7:54 Comment(3)
So where do we modify the setting now, so I can add prepend: trueSchottische
They way I read that is if you are on Rails 5.2+ you don't need to add it, it's on by default. @SchottischeSeashore
@Schottische probably you'd have to add it explicitly to a controller as you did in the past.Donny

© 2022 - 2024 — McMap. All rights reserved.