Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
Example:
class FooController < ApplicationController protect_from_forgery :except => :index
You can disable csrf protection on controller-by-controller basis:
skip_before_filter :verify_authenticity_token
It can also be disabled for specific controller actions:
skip_before_filter :verify_authenticity_token, :except => [:create]
Valid Options:
:only/:except - Passed to the before_filter call. Set which actions are verified.
# File lib/action_controller/metal/request_forgery_protection.rb, line 66 def protect_from_forgery(options = {}) self.request_forgery_protection_token ||= :authenticity_token prepend_before_filter :verify_authenticity_token, options end
Generated with the Darkfish Rdoc Generator 2.