aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaulL1 <PaulL1@users.noreply.github.com>2014-04-17 21:20:17 +0200
committerPaulL1 <PaulL1@users.noreply.github.com>2014-04-17 21:20:17 +0200
commitd3152750b7f9e9c4c17ea0064f10bddd113374c8 (patch)
tree4c4ab84e84bf0337bc0de4064cd38579b1132ecd
parent92fd44b35df65556c8baad565421fd8fd44ee509 (diff)
downloadrails-d3152750b7f9e9c4c17ea0064f10bddd113374c8.tar.gz
rails-d3152750b7f9e9c4c17ea0064f10bddd113374c8.tar.bz2
rails-d3152750b7f9e9c4c17ea0064f10bddd113374c8.zip
Include default rails protect_from_forgery with: :exception
Extend previous changes, include the default line from the application controller that new rails applications are created with: protect_from_forgery with: :exception Minor wording changes to align.
-rw-r--r--guides/source/security.md8
1 files changed, 4 insertions, 4 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index a901589e4f..9d7fdb3c6d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -239,13 +239,13 @@ Or the attacker places the code into the onmouseover event handler of an image:
There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since XmlHttpRequest is subject to the browser Same-Origin policy - meaning only your site can initiate the request.
-To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller:
+To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created rails applications:
```ruby
-protect_from_forgery
+protect_from_forgery with: :exception
```
-This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, the session will be reset.
+This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, an exception will be thrown.
It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself:
@@ -255,7 +255,7 @@ rescue_from ActionController::InvalidAuthenticityToken do |exception|
end
```
-The above method can be placed in the `ApplicationController` and will be called when a CSRF token is not present on a non-GET request.
+The above method can be placed in the `ApplicationController` and will be called when a CSRF token is not present or is incorrect on a non-GET request.
Note that _cross-site scripting (XSS) vulnerabilities bypass all CSRF protections_. XSS gives the attacker access to all elements on a page, so they can read the CSRF security token from a form or directly submit the form. Read <a href="#cross-site-scripting-xss">more about XSS</a> later.