Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
Example:
class FooController < ApplicationController # uses the cookie session store (then you don't need a separate :secret) protect_from_forgery :except => :index # uses one of the other session stores that uses a session_id value. protect_from_forgery :secret => 'my-little-pony', :except => :index # you can disable csrf protection on controller-by-controller basis: skip_before_filter :verify_authenticity_token end
Valid Options:
- :only/:except - passed to the before_filter call. Set which actions are verified.
- :secret - Custom salt used to generate the form_authenticity_token. Leave this off if you are using the cookie session store.
- :digest - Message digest used for hashing. Defaults to ‘SHA1’
Source Code
# File action_controller/request_forgery_protection.rb, line 76 def protect_from_forgery(options = {}) self.request_forgery_protection_token ||= :authenticity_token before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except) request_forgery_protection_options.update(options) end
<code/>and<pre/>for code samples.