Override the Protect_From_Forgery Strategy in a Controller

Override the protect_from_forgery strategy in a controller

What if you leave the protect_from_forgery with: :exception in the application controller but then you put the following in your API controller?

skip_before_action :protect_from_forgery
protect_from_forgery with: :null_session

That way, you still get the standard CSRF attack protection for all controllers in your web application but you also get the null session behavior for your API methods.

protect_from_forgery' in Application controller in Rails

It protects from csrf. e.g. all POST requests should have specific security token.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf

protect_from_forgery in Rails 6?

For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit:
https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55

*   Protect from forgery by default

    Rather than protecting from forgery in the generated ApplicationController,
    add it to ActionController::Base depending on
    `config.action_controller.default_protect_from_forgery`. This configuration
    defaults to false to support older versions which have removed it from their
    ApplicationController, but is set to true for Rails 5.2.

In official docs: https://edgeguides.rubyonrails.org/configuring.html

config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.

protect_from_forgery with: :null_session -- still getting Can't verify CSRF token authenticity

You can ActionController::API instead of ApplicationController, and I see a syntax error you wrote status: :create instead of status: :created

Stubbing protect_from_forgery in rspec for API specs

allow(ApiController).to receive(:protect_from_forgery).and_return(false)

---

Related Topics