diff options
| author | Zachary Scott <e@zzak.io> | 2014-07-29 10:27:33 -0700 |
|---|---|---|
| committer | Zachary Scott <e@zzak.io> | 2014-07-29 10:27:33 -0700 |
| commit | 89ad1d85aa0462abd04bd0cf97a6daa0149f303e (patch) | |
| tree | 036fedd151f7e5c3e89091bed2754e5a02bf7851 /guides/source | |
| parent | d035124a20e2964074441fb1d4f7b4865eccc1fa (diff) | |
| parent | 3d4233004814ccc183436df604bef563bfad21a1 (diff) | |
| download | rails-89ad1d85aa0462abd04bd0cf97a6daa0149f303e.tar.gz rails-89ad1d85aa0462abd04bd0cf97a6daa0149f303e.tar.bz2 rails-89ad1d85aa0462abd04bd0cf97a6daa0149f303e.zip | |
Merge pull request #16329 from deependersingla/master
GET request should not write to database note added. [ci skip]
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/routing.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/guides/source/routing.md b/guides/source/routing.md index 7a7334f25b..c56be7cc12 100644 --- a/guides/source/routing.md +++ b/guides/source/routing.md @@ -645,6 +645,8 @@ match 'photos', to: 'photos#show', via: :all NOTE: Routing both `GET` and `POST` requests to a single action has security implications. In general, you should avoid routing all verbs to an action unless you have a good reason to. +NOTE: 'GET' in Rails doesn't check for CSRF token. You should never write to the database from 'GET' requests, for more information see the [security guide] (security.html#csrf-countermeasures) on CSRF countermeasures. + ### Segment Constraints You can use the `:constraints` option to enforce a format for a dynamic segment: |