'protect_from_forgery' in Application controller in Rails

Question

In the config/application_controller.rb file in my Rails application directory, I found the code below:

class ApplicationController < ActionController::Base
  protect_from_forgery
end

Can any one tell me what project_from_forgery means and why it is being used?

Answer 1

It protects from csrf. e.g. all POST requests should have specific security token.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf

Answer 2

This is rails built in feature to prevent csrf attacks,

Learn more from this link,

http://railskey.wordpress.com/2012/07/02/rails-protect_from_forgery/

Cross site scripting attack is prevented by adding the authentication token to form field as hidden field. On Post request that token is matched against the one stored in database.

Answer 3

protect_from_forgery: A feature in Rails that protects against Cross-site Request Forgery (CSRF) attacks.

This feature makes all generated forms have a hidden id field. This id field must match the stored id or the form submission is not accepted.

This prevents malicious forms on other sites or forms inserted with XSS from submitting to the Rails application.