diff options
Diffstat (limited to 'railties/doc')
-rw-r--r-- | railties/doc/guides/source/actioncontroller_basics/csrf.txt | 30 | ||||
-rw-r--r-- | railties/doc/guides/source/actioncontroller_basics/index.txt | 2 |
2 files changed, 32 insertions, 0 deletions
diff --git a/railties/doc/guides/source/actioncontroller_basics/csrf.txt b/railties/doc/guides/source/actioncontroller_basics/csrf.txt new file mode 100644 index 0000000000..a43cd26c3d --- /dev/null +++ b/railties/doc/guides/source/actioncontroller_basics/csrf.txt @@ -0,0 +1,30 @@ +== Request Forgery Protection == + +Cross-site request forgery is a type of attack in which a site tricks a user into making requests on another site, possibly adding, modifying or deleting data on that site without the user's knowledge or permission. The first step to avoid this is to make sure all "destructive" actions (create, update and destroy) can only be accessed with non-GET requests. If you're following RESTful conventions you're already doing this. However, a malicious site can still send a non-GET request to your site quite easily, and that's where the request forgery protection comes in. As the name says, it protects from forged requests. The way this is done is to add a non-guessable token which is only known to your server to each request. This way, if a request comes in without it, it will be denied access. + +If you generate a form like so: + +----------------------------------------- +<% form_for @user do |f| -%> + <%= f.text_field :username %> + <%= f.text_field :password -%> +<% end -%> +----------------------------------------- + +You will see how the token gets added as a hidden field: + +----------------------------------------- +<form action="/users/1" method="post"> +<div><!-- ... --><input type="hidden" value="67250ab105eb5ad10851c00a5621854a23af5489" name="authenticity_token"/></div> +<!-- Fields --> +</form> +----------------------------------------- + +Rails adds this token to every form that's generated using the link:../form_helpers.html[form helpers], so most of the time you don't have to worry about it. If you're writing a form manually or need to add the token for another reason, it's available through the method `form_authenticity_token`: + +.Add a JavaScript variable containing the token for use with Ajax +----------------------------------------- +<%= javascript_tag "MyApp.authenticity_token = '#{form_authenticity_token}'" %> +----------------------------------------- + +The link:../security.html[Security Guide] has more about this and a lot of other security-related issues you should be aware of when developing a web application. diff --git a/railties/doc/guides/source/actioncontroller_basics/index.txt b/railties/doc/guides/source/actioncontroller_basics/index.txt index 0b884e590b..90feb65569 100644 --- a/railties/doc/guides/source/actioncontroller_basics/index.txt +++ b/railties/doc/guides/source/actioncontroller_basics/index.txt @@ -17,6 +17,8 @@ include::filters.txt[] include::verification.txt[] +include::csrf.txt[] + include::request_response_objects.txt[] include::http_auth.txt[] |