CSRF protection for your existing rails application
Published over 5 years ago

If you google for csrf attacks, you’ll find plenty of articles. But just for fun, here’s a simplest example : http://rubyurl.com/Liu Copy/Paste the link in a new window ( Don’t do it if you hate me/twitter )

Thanks to Rick, rails now has in built protection against such attacks, which is turned on by default for all new rails applications.

Here are some steps to make use of it for your existing rails application :

  • Add protect_from_forgery in your application.rb
class ApplicationController < ActionController::Base
  protect_from_forgery # Add :secret => 'some cryptic string' if not using cookie sessions
  # All your existing stuff
end
  • Turn off csrf protection in your test environment, unless you have time/energy/reasons to add csrf token to all your functional/integration tests that use post/put/delete methods.

To do so, add following in your test.rb environment file

# All your existing stuff
config.action_controller.allow_forgery_protection  = false
  • If you have cached any pages containing forms/buttons/links using post/put/delete method, make sure you clear your cache.

That’s all folks!