From 2c73115b2fd1c547a8cf543a41b8b8b9d04925e1 Mon Sep 17 00:00:00 2001 From: Rick Olson Date: Mon, 24 Sep 2007 17:59:17 +0000 Subject: port over some of the csrf_killer README docs git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7614 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- .../lib/action_controller/request_forgery_protection.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'actionpack/lib/action_controller/request_forgery_protection.rb') diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index a5044619a1..1802acc568 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -22,6 +22,19 @@ module ActionController #:nodoc: # the token doesn't match what was expected. And it will add a _token parameter to all forms that are automatically generated # by Rails. You can customize the error message given through public/422.html. # + # Learn more about CSRF (Cross-Site Request Forgery) attacks: + # + # * http://isc.sans.org/diary.html?storyid=1750 + # * http://en.wikipedia.org/wiki/Cross-site_request_forgery + # + # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application. There are a few guidelines you + # should follow: + # + # * Keep your GET requests safe and idempotent. More reading material: + # * http://www.xml.com/pub/a/2002/04/24/deviant.html + # * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 + # * Make sure the session cookies that Rails creates are non-persistent. Check in Firefox and look for "Expires: at end of session" + # # Example: # # class FooController < ApplicationController -- cgit v1.2.3