Override the protect_from_forgery strategy in a controller
What if you leave the protect_from_forgery with: :exception
in the application controller but then you put the following in your API controller?
skip_before_action :protect_from_forgery
protect_from_forgery with: :null_session
That way, you still get the standard CSRF attack protection for all controllers in your web application but you also get the null session behavior for your API methods.
protect_from_forgery' in Application controller in Rails
It protects from csrf. e.g. all POST requests should have specific security token.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
protect_from_forgery in Rails 6?
For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit:
https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
* Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController,
add it to ActionController::Base depending on
`config.action_controller.default_protect_from_forgery`. This configuration
defaults to false to support older versions which have removed it from their
ApplicationController, but is set to true for Rails 5.2.
In official docs: https://edgeguides.rubyonrails.org/configuring.html
config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
protect_from_forgery with: :null_session -- still getting Can't verify CSRF token authenticity
You can ActionController::API
instead of ApplicationController
, and I see a syntax error you wrote status: :create
instead of status: :created
Stubbing protect_from_forgery in rspec for API specs
allow(ApiController).to receive(:protect_from_forgery).and_return(false)
Related Topics
Ruby - Remove Pattern from String
Ruby: Remove Whitespace Chars at the Beginning of a String
How to Embed Ruby in JavaScript (Rails + .Html.Erb File)
Ruby, Using Regex to Find Something in Between Two Strings
Regex to Match Hashtags in a Sentence Using Ruby
Why Is "❨╯°□°❩╯︵┻━┻" with Such an Encoding Used for a Method Name
Omniauth Facebook Expired Token Error
What Does "No Binary Rubies Available" Mean
Perform One Validation Only If All Other Validations Pass
Differencebetween 'Size' and 'Length' Methods
How to Pass <Arguments> to Irb If I Don't Specify <Programfile>
"Certificate Verify Failed" Error When Installing Ruby Gems on Windows
How to Make a Check Box Default to Being "Checked" in Rails 1.2.3
Where to Insert Rack::Deflater in the Rack