<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html 
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Module: ActionController::RequestForgeryProtection::ClassMethods</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="Content-Script-Type" content="text/javascript" />
  <link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" />
  <script type="text/javascript">
  // <![CDATA[

  function popupCode( url ) {
    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
  }

  function toggleCode( id ) {
    if ( document.getElementById )
      elem = document.getElementById( id );
    else if ( document.all )
      elem = eval( "document.all." + id );
    else
      return false;

    elemStyle = elem.style;
    
    if ( elemStyle.display != "block" ) {
      elemStyle.display = "block"
    } else {
      elemStyle.display = "none"
    }

    return true;
  }
  
  // Make codeblocks hidden by default
  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
  
  // ]]>
  </script>

</head>
<body>



    <div id="classHeader">
        <table class="header-table">
        <tr class="top-aligned-row">
          <td><strong>Module</strong></td>
          <td class="class-name-in-header">ActionController::RequestForgeryProtection::ClassMethods</td>
        </tr>
        <tr class="top-aligned-row">
            <td><strong>In:</strong></td>
            <td>
                <a href="../../../files/lib/action_controller/request_forgery_protection_rb.html">
                lib/action_controller/request_forgery_protection.rb
                </a>
        <br />
            </td>
        </tr>

        </table>
    </div>
  <!-- banner header -->

  <div id="bodyContent">



  <div id="contextContent">

    <div id="description">
      <p>
Protecting controller actions from CSRF attacks by ensuring that all forms
are coming from the current web application, not a forged link from another
site, is done by embedding a token based on a random string stored in the
session (which an attacker wouldn&#8216;t know) in all forms and Ajax
requests generated by Rails and then verifying the authenticity of that
token in the controller. Only HTML/JavaScript requests are checked, so this
will not protect your XML API (presumably you&#8216;ll have a different
authentication scheme there anyway). Also, GET requests are not protected
as these should be idempotent anyway.
</p>
<p>
This is turned on with the <tt><a
href="ClassMethods.html#M000149">protect_from_forgery</a></tt> method,
which will check the token and raise an
ActionController::InvalidAuthenticityToken if it doesn&#8216;t match what
was expected. You can customize the error message in production by editing
public/422.html. A call to this method in ApplicationController is
generated by default in post-Rails 2.0 applications.
</p>
<p>
The token parameter is named <tt>authenticity_token</tt> by default. If you
are generating an HTML form manually (without the use of Rails&#8217;
<tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to include
a hidden field named like that and set its value to what is returned by
<tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax
requests. To make the token available through a global variable to scripts
on a certain page, you could add something like this to a view:
</p>
<pre>
  &lt;%= javascript_tag &quot;window._token = '#{form_authenticity_token}'&quot; %&gt;
</pre>
<p>
<a href="../Request.html">Request</a> forgery protection is disabled by
default in test environment. If you are upgrading from Rails 1.x, add this
to config/environments/test.rb:
</p>
<pre>
  # Disable request forgery protection in test environment
  config.action_controller.allow_forgery_protection = false
</pre>
<h2>Learn more about CSRF (Cross-Site <a href="../Request.html">Request</a> Forgery) attacks</h2>
<p>
Here are some resources:
</p>
<ul>
<li><a
href="http://isc.sans.org/diary.html?storyid=1750">isc.sans.org/diary.html?storyid=1750</a>

</li>
<li><a
href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a>

</li>
</ul>
<p>
Keep in mind, this is NOT a silver-bullet, plug &#8216;n&#8217; play, warm
security blanket for your rails application. There are a few guidelines you
should follow:
</p>
<ul>
<li>Keep your GET requests safe and idempotent. More reading material:

<ul>
<li><a
href="http://www.xml.com/pub/a/2002/04/24/deviant.html">www.xml.com/pub/a/2002/04/24/deviant.html</a>

</li>
<li><a
href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1">www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1</a>

</li>
</ul>
</li>
<li>Make sure the session cookies that Rails creates are non-persistent. Check
in Firefox and look for &quot;Expires: at end of session&quot;

</li>
</ul>

    </div>


   </div>

    <div id="method-list">
      <h3 class="section-bar">Methods</h3>

      <div class="name-list">
      <a href="#M000149">protect_from_forgery</a>&nbsp;&nbsp;
      </div>
    </div>

  </div>


    <!-- if includes -->

    <div id="section">





      


    <!-- if method_list -->
    <div id="methods">
      <h3 class="section-bar">Public Instance methods</h3>

      <div id="method-M000149" class="method-detail">
        <a name="M000149"></a>

        <div class="method-heading">
          <a href="ClassMethods.src/M000149.html" target="Code" class="method-signature"
            onclick="popupCode('ClassMethods.src/M000149.html');return false;">
          <span class="method-name">protect_from_forgery</span><span class="method-args">(options = {})</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Turn on request forgery protection. Bear in mind that only non-GET,
HTML/JavaScript requests are checked.
</p>
<p>
Example:
</p>
<pre>
  class FooController &lt; ApplicationController
    protect_from_forgery :except =&gt; :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token
  end
</pre>
<p>
Valid Options:
</p>
<ul>
<li><tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call. Set
which actions are verified.

</li>
</ul>
        </div>
      </div>


    </div>


  </div>


<div id="validator-badges">
  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>

</body>
</html>