diff options
| author | Ben Toews <mastahyeti@users.noreply.github.com> | 2015-11-25 15:06:12 -0700 |
|---|---|---|
| committer | Ben Toews <mastahyeti@users.noreply.github.com> | 2015-11-25 15:06:12 -0700 |
| commit | 85783534fcf1baefa5b502a2bfee235ae6d612d7 (patch) | |
| tree | 64c3c3fe095f7da41c309a238f1c02186eccd08f /guides/source/configuring.md | |
| parent | cb67c819338d75c07a591dc23759747c740a5088 (diff) | |
| download | rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.tar.gz rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.tar.bz2 rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.zip | |
Add option to verify Origin header in CSRF checks
Diffstat (limited to 'guides/source/configuring.md')
| -rw-r--r-- | guides/source/configuring.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/guides/source/configuring.md b/guides/source/configuring.md index 28388e4957..6d3ca8baac 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -345,6 +345,8 @@ The schema dumper adds one additional configuration option: * `config.action_controller.allow_forgery_protection` enables or disables CSRF protection. By default this is `false` in test mode and `true` in all other modes. +* `config.action_controller.forgery_protection_origin_check` configures whether the HTTP `Origin` header should be checked against the site's origin as an additional CSRF defense. + * `config.action_controller.relative_url_root` can be used to tell Rails that you are [deploying to a subdirectory](configuring.html#deploy-to-a-subdirectory-relative-url-root). The default is `ENV['RAILS_RELATIVE_URL_ROOT']`. * `config.action_controller.permit_all_parameters` sets all the parameters for mass assignment to be permitted by default. The default value is `false`. |