diff options
Diffstat (limited to 'guides/source/routing.md')
-rw-r--r-- | guides/source/routing.md | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/guides/source/routing.md b/guides/source/routing.md index c8f8ba3044..af8c1bbcc4 100644 --- a/guides/source/routing.md +++ b/guides/source/routing.md @@ -645,6 +645,8 @@ match 'photos', to: 'photos#show', via: :all NOTE: Routing both `GET` and `POST` requests to a single action has security implications. In general, you should avoid routing all verbs to an action unless you have a good reason to. +NOTE: 'GET' in Rails won't check for CSRF token. You should never write to the database from 'GET' requests, for more information see the [security guide](security.html#csrf-countermeasures) on CSRF countermeasures. + ### Segment Constraints You can use the `:constraints` option to enforce a format for a dynamic segment: @@ -681,7 +683,7 @@ You can also constrain a route based on any method on the [Request object](actio You specify a request-based constraint the same way that you specify a segment constraint: ```ruby -get 'photos', constraints: { subdomain: 'admin' } +get 'photos', to: 'photos#index', constraints: { subdomain: 'admin' } ``` You can also specify constraints in a block form: |