diff options
| author | Deepender Singla <deependersingla@Deependers-MacBook-Pro.local> | 2014-07-29 22:48:50 +0530 |
|---|---|---|
| committer | Deepender Singla <deependersingla@Deependers-MacBook-Pro.local> | 2014-07-29 22:48:50 +0530 |
| commit | 3d4233004814ccc183436df604bef563bfad21a1 (patch) | |
| tree | da28a38dda172d6d36ed84fdbf61c064b60ae4ab /guides/source/routing.md | |
| parent | da1b8a786cad277c1e4dc1a9f03acec4268dda1f (diff) | |
| download | rails-3d4233004814ccc183436df604bef563bfad21a1.tar.gz rails-3d4233004814ccc183436df604bef563bfad21a1.tar.bz2 rails-3d4233004814ccc183436df604bef563bfad21a1.zip | |
Get request should not write to database note added. [skip ci]
Diffstat (limited to 'guides/source/routing.md')
| -rw-r--r-- | guides/source/routing.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/guides/source/routing.md b/guides/source/routing.md index 7a7334f25b..c56be7cc12 100644 --- a/guides/source/routing.md +++ b/guides/source/routing.md @@ -645,6 +645,8 @@ match 'photos', to: 'photos#show', via: :all NOTE: Routing both `GET` and `POST` requests to a single action has security implications. In general, you should avoid routing all verbs to an action unless you have a good reason to. +NOTE: 'GET' in Rails doesn't check for CSRF token. You should never write to the database from 'GET' requests, for more information see the [security guide] (security.html#csrf-countermeasures) on CSRF countermeasures. + ### Segment Constraints You can use the `:constraints` option to enforce a format for a dynamic segment: |