diff options
| author | Lisa Ugray <lisa.ugray@shopify.com> | 2017-07-10 11:12:45 -0400 |
|---|---|---|
| committer | Lisa Ugray <lisa.ugray@shopify.com> | 2017-07-10 16:23:47 -0400 |
| commit | ec4a836919c021c0a5cf9ebeebb4db5e02104a55 (patch) | |
| tree | ae03e9e4fdff6d55fec6477e4a50c5f9750c9bd7 /guides/source | |
| parent | b6300f3ecc79bff29cf9bb804a30fd92403feac1 (diff) | |
| download | rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.gz rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.tar.bz2 rails-ec4a836919c021c0a5cf9ebeebb4db5e02104a55.zip | |
Protect from forgery by default
Rather than protecting from forgery in the generated
ApplicationController, add it to ActionController::Base by config. This
configuration defaults to false to support older versions which have
removed it from their ApplicationController, but is set to true for
Rails 5.2.
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/configuring.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/guides/source/configuring.md b/guides/source/configuring.md index 21b3ca0efa..28ceef9740 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -401,6 +401,8 @@ The schema dumper adds one additional configuration option: * `config.action_controller.per_form_csrf_tokens` configures whether CSRF tokens are only valid for the method/action they were generated for. +* `config.action_controller.default_protect_from_forgery` determines whether forgery protection is added on `ActionController:Base`. This is false by default, but enabled when loading defaults for Rails 5.2. + * `config.action_controller.relative_url_root` can be used to tell Rails that you are [deploying to a subdirectory](configuring.html#deploy-to-a-subdirectory-relative-url-root). The default is `ENV['RAILS_RELATIVE_URL_ROOT']`. * `config.action_controller.permit_all_parameters` sets all the parameters for mass assignment to be permitted by default. The default value is `false`. |