module ActionController::RequestForgeryProtection::ClassMethods
def protect_from_forgery(options = {})
* :reset_session - Resets the session.
* :exception - Raises ActionController::InvalidAuthenticityToken exception.
Valid unverified request handling methods are:
* :with - Set the method to handle unverified request.
If you need to add verification to the beginning of the callback chain, use prepend: true.
when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
* :prepend - By default, the verification of the authentication token will be added at the position of the
* :if/:unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.
* :only/:except - Only apply forgery protection to a subset of actions. For example only: [ :create, :create_all ].
Valid Options:
skip_before_action :verify_authenticity_token
You can disable forgery protection on controller by skipping the verification before_action:
end
protect_from_forgery except: :index
class FooController < ApplicationController
end
protect_from_forgery
class ApplicationController < ActionController::Base
Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
def protect_from_forgery(options = {}) options = options.reverse_merge(prepend: false) self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token before_action :verify_authenticity_token, options append_after_action :verify_same_origin_request end
def protection_method_class(name)
def protection_method_class(name) ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify) rescue NameError raise ArgumentError, 'Invalid request forgery protection method, use :null_session, :exception, or :reset_session' end