diff options
author | Rafael França <rafaelmfranca@gmail.com> | 2015-11-26 14:23:50 -0200 |
---|---|---|
committer | Rafael França <rafaelmfranca@gmail.com> | 2015-11-26 14:23:50 -0200 |
commit | e1e6499ede1dd196c03f650b95c3a0098c7c32ff (patch) | |
tree | 934b91cfbf3950483900976f42dd827e90edf5a0 /guides | |
parent | d25205241b4f8d38b8ab106ffc1c465a8a697415 (diff) | |
parent | 85783534fcf1baefa5b502a2bfee235ae6d612d7 (diff) | |
download | rails-e1e6499ede1dd196c03f650b95c3a0098c7c32ff.tar.gz rails-e1e6499ede1dd196c03f650b95c3a0098c7c32ff.tar.bz2 rails-e1e6499ede1dd196c03f650b95c3a0098c7c32ff.zip |
Merge pull request #22263 from mastahyeti/csrf-origin-check
Add option to verify Origin header in CSRF checks
[Jeremy Daer + Rafael Mendonça França]
Diffstat (limited to 'guides')
-rw-r--r-- | guides/source/configuring.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/guides/source/configuring.md b/guides/source/configuring.md index dbb432db20..09f7007603 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -345,6 +345,8 @@ The schema dumper adds one additional configuration option: * `config.action_controller.allow_forgery_protection` enables or disables CSRF protection. By default this is `false` in test mode and `true` in all other modes. +* `config.action_controller.forgery_protection_origin_check` configures whether the HTTP `Origin` header should be checked against the site's origin as an additional CSRF defense. + * `config.action_controller.relative_url_root` can be used to tell Rails that you are [deploying to a subdirectory](configuring.html#deploy-to-a-subdirectory-relative-url-root). The default is `ENV['RAILS_RELATIVE_URL_ROOT']`. * `config.action_controller.permit_all_parameters` sets all the parameters for mass assignment to be permitted by default. The default value is `false`. |