RubyLearning / ProjectTrak / vendor / rails / railties / doc / guides / source / actioncontroller_basics / csrf.txt

== Request Forgery Protection ==

Cross-site request forgery is a type of attack in which a site tricks a user into making requests on another site, possibly adding, modifying or deleting data on that site without the user's knowledge or permission. The first step to avoid this is to make sure all "destructive" actions (create, update and destroy) can only be accessed with non-GET requests. If you're following RESTful conventions you're already doing this. However, a malicious site can still send a non-GET request to your site quite easily, and that's where the request forgery protection comes in. As the name says, it protects from forged requests. The way this is done is to add a non-guessable token which is only known to your server to each request. This way, if a request comes in without the proper token, it will be denied access.

If you generate a form like this:

[source, ruby]
-----------------------------------------
<% form_for @user do |f| -%>
  <%= f.text_field :username %>
  <%= f.text_field :password -%>
<% end -%>
-----------------------------------------

You will see how the token gets added as a hidden field:

[source, html]
-----------------------------------------
<form action="/users/1" method="post">
<div><!-- ... --><input type="hidden" value="67250ab105eb5ad10851c00a5621854a23af5489" name="authenticity_token"/></div>
<!-- Fields -->
</form>
-----------------------------------------

Rails adds this token to every form that's generated using the link:../form_helpers.html[form helpers], so most of the time you don't have to worry about it. If you're writing a form manually or need to add the token for another reason, it's available through the method `form_authenticity_token`:

.Add a JavaScript variable containing the token for use with Ajax
-----------------------------------------
<%= javascript_tag "MyApp.authenticity_token = '#{form_authenticity_token}'" %>
-----------------------------------------

The link:../security.html[Security Guide] has more about this and a lot of other security-related issues that you should be aware of when developing a web application.
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.