diff options
| author | Zachary Scott <e@zzak.io> | 2015-04-12 21:58:40 -0700 |
|---|---|---|
| committer | Zachary Scott <e@zzak.io> | 2015-04-12 21:58:40 -0700 |
| commit | 2778ba8ed55280f92aeb699f59b5d386e139eca8 (patch) | |
| tree | 90b62a9f20dc02968b8602d76552133ad79300e1 /actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
| parent | e1ebf146b56a80395ed9e6d100bdb403921ada38 (diff) | |
| download | rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.tar.gz rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.tar.bz2 rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.zip | |
Add note regarding CSRF for APIs, as a use-case for skipping it [ci skip]
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index b6c613849b..663a969f72 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -42,6 +42,10 @@ module ActionController #:nodoc: # By default <tt>protect_from_forgery</tt> protects your session with # <tt>:null_session</tt> method, which provides an empty session during request # + # We may want to disable CSRF protection for APIs since they are typically + # designed to be state-less. That is, the requestion API client will handle + # the session for you instead of Rails. + # # The token parameter is named <tt>authenticity_token</tt> by default. The name and # value of this token must be added to every layout that renders forms by including # <tt>csrf_meta_tags</tt> in the HTML +head+. |