CSRF Protection: When It Breaks, It Breaks Very Quietly
Cross-site request forgery (CSRF) is tricking the browser with a malicious (or compromised) site B to access something on site A. Since requests for site A would include site A's cookie whether requested by A or not, an image tag or embedded JavaScript on site B can submit some requests on site A that a logged-in user can do, like accessing private info with the appropriate POST parameters to make it happen. Rails has a mechanism that defends against CSRF: all one should to do is include a few lines of code as:
class ApplicationController < ActionController::Base
protect_from_forgery
end
class FooController < ApplicationController
protect_from_forgery except: :index
No comments:
Post a Comment