ActionController::RequestForgeryProtection::ClassMethods

Methods

P

protect_from_forgery

Instance Public methods

protect_from_forgery(options = {}) Link

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

class FooController < ApplicationController
  protect_from_forgery except: :index

You can disable csrf protection on controller-by-controller basis:

skip_before_action :verify_authenticity_token

It can also be disabled for specific controller actions:

skip_before_action :verify_authenticity_token, except: [:create]

Valid Options:

:only/:except - Passed to the before_action call. Set which actions are verified.
:with - Set the method to handle unverified request.

Valid unverified request handling methods are:

:exception - Raises ActionController::InvalidAuthenticityToken exception.
:reset_session - Resets the session.
:null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.

Source: show | on GitHub

# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 88
def protect_from_forgery(options = {})
  self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
  self.request_forgery_protection_token ||= :authenticity_token
  prepend_before_action :verify_authenticity_token, options
end

Module ActionController::RequestForgeryProtection::ClassMethods