diff options
| -rw-r--r-- | guides/source/routing.md | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/guides/source/routing.md b/guides/source/routing.md index 7a7334f25b..c56be7cc12 100644 --- a/guides/source/routing.md +++ b/guides/source/routing.md @@ -645,6 +645,8 @@ match 'photos', to: 'photos#show', via: :all NOTE: Routing both `GET` and `POST` requests to a single action has security implications. In general, you should avoid routing all verbs to an action unless you have a good reason to. +NOTE: 'GET' in Rails doesn't check for CSRF token. You should never write to the database from 'GET' requests, for more information see the [security guide] (security.html#csrf-countermeasures) on CSRF countermeasures. + ### Segment Constraints You can use the `:constraints` option to enforce a format for a dynamic segment: |