2 files changed, 17 insertions, 5 deletions

diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb
index e8065d9505..b3d6adad2a 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb
+++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb
@@ -1,3 +1,5 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery
+  # prevent CSRF attacks by raising an exception,
+  # if your application has an API, you'll probably need to use :reset_session
+  protect_from_forgery :with => :exception
 end
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index c9310aff87..ac5ac2b93e 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -275,19 +275,23 @@ module ApplicationTests
 
       require "#{app_path}/config/environment"
 
+      token = "cf50faa3fe97702ca1ae"
+      PostsController.any_instance.stubs(:form_authenticity_token).returns(token)
+      params = {:authenticity_token => token}
+
       get "/posts/1"
       assert_match /patch/, last_response.body
 
-      patch "/posts/1"
+      patch "/posts/1", params
       assert_match /update/, last_response.body
 
-      patch "/posts/1"
+      patch "/posts/1", params
       assert_equal 200, last_response.status
 
-      put "/posts/1"
+      put "/posts/1", params
       assert_match /update/, last_response.body
 
-      put "/posts/1"
+      put "/posts/1", params
       assert_equal 200, last_response.status
     end
 
@@ -528,6 +532,12 @@ module ApplicationTests
       end
       RUBY
 
+      app_file 'app/controllers/application_controller.rb', <<-RUBY
+      class ApplicationController < ActionController::Base
+        protect_from_forgery :with => :reset_session # as we are testing API here
+      end
+      RUBY
+
       app_file 'app/controllers/posts_controller.rb', <<-RUBY
       class PostsController < ApplicationController
         def create