module ActionController::RequestForgeryProtection::ClassMethods

def protect_from_forgery(options = {})

end
protect_from_forgery with: CustomStrategy
class ApplicationController < ActionController:x:Base

end
end
# Custom behaviour for unverfied request
def handle_unverified_request

end
@controller = controller
def initialize(controller)
class CustomStrategy

You can also implement custom strategy classes for unverified request handling:

* :null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.
* :reset_session - Resets the session.
* :exception - Raises ActionController::InvalidAuthenticityToken exception.
Built-in unverified request handling methods are:

* :with - Set the method to handle unverified request.
If you need to add verification to the beginning of the callback chain, use prepend: true.

when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
* :prepend - By default, the verification of the authentication token will be added at the position of the
* :if / :unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.
* :only / :except - Only apply forgery protection to a subset of actions. For example only: [ :create, :create_all ].

Valid Options:

end
skip_forgery_protection
class BarController < ApplicationController

You can disable forgery protection on a controller using skip_forgery_protection:

end
protect_from_forgery except: :index
class FooController < ApplicationController

end
protect_from_forgery
class ApplicationController < ActionController::Base

Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.

def protect_from_forgery(options = {})
  options = options.reverse_merge(prepend: false)
  self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
  self.request_forgery_protection_token ||= :authenticity_token
  before_action :verify_authenticity_token, options
  append_after_action :verify_same_origin_request
end

def protection_method_class(name)

def protection_method_class(name)
  case name
  when :null_session
    ProtectionMethods::NullSession
  when :reset_session
    ProtectionMethods::ResetSession
  when :exception
    ProtectionMethods::Exception
  when Class
    name
  else
    raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
  end
end

def skip_forgery_protection(options = {})

See +skip_before_action+ for allowed options.

skip_before_action :verify_authenticity_token

Turn off request forgery protection. This is a wrapper for:

def skip_forgery_protection(options = {})
  skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)
end

Instance Methods

Defined in

lib/action_controller/metal/request_forgery_protection.rb

Modules

Classes