If you google for csrf attacks, you’ll find plenty of articles. But just for fun, here’s a simplest example : http://rubyurl.com/Liu Copy/Paste the link in a new window ( Don’t do it if you hate me/twitter )
Thanks to Rick, rails now has in built protection against such attacks, which is turned on by default for all new rails applications.
Here are some steps to make use of it for your existing rails application :
- Add protect_from_forgery in your application.rb
1 2 3 4 |
class ApplicationController < ActionController::Base protect_from_forgery # Add :secret => 'some cryptic string' if not using cookie sessions # All your existing stuff end |
- Turn off csrf protection in your test environment, unless you have time/energy/reasons to add csrf token to all your functional/integration tests that use post/put/delete methods.
To do so, add following in your test.rb environment file
1 2 |
# All your existing stuff config.action_controller.allow_forgery_protection = false |
- If you have cached any pages containing forms/buttons/links using post/put/delete method, make sure you clear your cache.
That’s all folks!
Ahoy Pratik! Way to drive the message home with your rubyurl example :-) And thanks for this post – it’ll be a handy reference to direct people to.
Does this mean every page we generate with a form cannot be cached?
jason : No. That’s not what I meant. You just need to clear your existing cache and cache new forms which would include csrf token.
token_from_session_id and #token_from_cookie_store seem to suggest that the auth token is linked to your session, so unless I’m missing something wouldn’t it be a problem to give the same token to everyone via memcached?