mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Updated security.md to include default_protect_from_forgery
Update security.md to note that CSRF security token is included in requests automatically when `config.action_controller.default_protect_from_forgery` is set to `true`, which is the default for newly created Rails applications.
This commit is contained in:
parent
e4b5ced331
commit
28c5eca9a1
1 changed files with 2 additions and 2 deletions
|
@ -292,13 +292,13 @@ There are many other possibilities, like using a `<script>` tag to make a cross-
|
|||
|
||||
NOTE: We can't distinguish a `<script>` tag's origin—whether it's a tag on your own site or on some other malicious site—so we must block all `<script>` across the board, even if it's actually a safe same-origin script served from your own site. In these cases, explicitly skip CSRF protection on actions that serve JavaScript meant for a `<script>` tag.
|
||||
|
||||
To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created Rails applications:
|
||||
To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is done automatically when `config.action_controller.default_protect_from_forgery` is set to `true`, which is the default for newly created Rails applications. You can also do it manually by adding the following to your application controller:
|
||||
|
||||
```ruby
|
||||
protect_from_forgery with: :exception
|
||||
```
|
||||
|
||||
This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, an exception will be thrown.
|
||||
This will include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, an exception will be thrown.
|
||||
|
||||
NOTE: By default, Rails includes an [unobtrusive scripting adapter](https://github.com/rails/rails/blob/master/actionview/app/assets/javascripts),
|
||||
which adds a header called `X-CSRF-Token` with the security token on every non-GET
|
||||
|
|
Loading…
Reference in a new issue