Add note regarding CSRF for APIs, as a use-case for skipping it [ci skip]

author: Zachary Scott <e@zzak.io> 2015-04-12 21:58:40 -0700
committer: Zachary Scott <e@zzak.io> 2015-04-12 21:58:40 -0700
commit: 2778ba8ed55280f92aeb699f59b5d386e139eca8 (patch)
tree: 90b62a9f20dc02968b8602d76552133ad79300e1 /actionpack
parent: e1ebf146b56a80395ed9e6d100bdb403921ada38 (diff)
download: rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.tar.gz
rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.tar.bz2
rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index b6c613849b..663a969f72 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -42,6 +42,10 @@ module ActionController #:nodoc:
   # By default <tt>protect_from_forgery</tt> protects your session with
   # <tt>:null_session</tt> method, which provides an empty session during request
   #
+  # We may want to disable CSRF protection for APIs since they are typically
+  # designed to be state-less. That is, the requestion API client will handle
+  # the session for you instead of Rails.
+  #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
   # <tt>csrf_meta_tags</tt> in the HTML +head+.
author	Zachary Scott <e@zzak.io>	2015-04-12 21:58:40 -0700
committer	Zachary Scott <e@zzak.io>	2015-04-12 21:58:40 -0700
commit	2778ba8ed55280f92aeb699f59b5d386e139eca8 (patch)
tree	90b62a9f20dc02968b8602d76552133ad79300e1 /actionpack
parent	e1ebf146b56a80395ed9e6d100bdb403921ada38 (diff)
download	rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.tar.gz rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.tar.bz2 rails-2778ba8ed55280f92aeb699f59b5d386e139eca8.zip