module ActionController::RequestForgeryProtection::ClassMethods

def protect_from_forgery(options = {})

* :null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.
* :reset_session - Resets the session.
* :exception - Raises ActionController::InvalidAuthenticityToken exception.
Valid unverified request handling methods are:

* :with - Set the method to handle unverified request.
* :only/:except - Passed to the before_action call. Set which actions are verified.

Valid Options:

skip_before_action :verify_authenticity_token
You can disable CSRF protection on controller by skipping the verification before_action:

protect_from_forgery except: :index
class FooController < ApplicationController

end
protect_from_forgery
class ApplicationController < ActionController::Base

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

def protect_from_forgery(options = {})
  self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
  self.request_forgery_protection_token ||= :authenticity_token
  prepend_before_action :verify_authenticity_token, options
  append_after_action :verify_same_origin_request
end

def protection_method_class(name)

def protection_method_class(name)
  ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
rescue NameError
  raise ArgumentError, 'Invalid request forgery protection method, use :null_session, :exception, or :reset_session'
end

Instance Methods

Defined in

lib/action_controller/metal/request_forgery_protection.rb

Modules

Classes

module ActionController::RequestForgeryProtection::ClassMethods

def protect_from_forgery(options = {})

def protection_method_class(name)

Instance Methods

Defined in