It protects from csrf. e.g. all POST requests should have specific security token.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
Frage
In the config/application_controller.rb
file in my Rails application directory, I found the code below:
class ApplicationController < ActionController::Base
protect_from_forgery
end
Can any one tell me what project_from_forgery
means and why it is being used?
Lösung
It protects from csrf. e.g. all POST requests should have specific security token.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
Andere Tipps
This is rails built in feature to prevent csrf attacks,
Learn more from this link,
http://railskey.wordpress.com/2012/07/02/rails-protect_from_forgery/
Cross site scripting attack is prevented by adding the authentication token to form field as hidden field. On Post request that token is matched against the one stored in database.
protect_from_forgery
: A feature in Rails that protects against Cross-site Request Forgery (CSRF) attacks.
This feature makes all generated forms have a hidden id
field. This id
field must match the stored id
or the form submission is not accepted.
This prevents malicious forms on other sites or forms inserted with XSS from submitting to the Rails application.