From ec4a836919c021c0a5cf9ebeebb4db5e02104a55 Mon Sep 17 00:00:00 2001 From: Lisa Ugray Date: Mon, 10 Jul 2017 11:12:45 -0400 Subject: Protect from forgery by default Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base by config. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2. --- guides/source/configuring.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'guides/source') diff --git a/guides/source/configuring.md b/guides/source/configuring.md index 21b3ca0efa..28ceef9740 100644 --- a/guides/source/configuring.md +++ b/guides/source/configuring.md @@ -401,6 +401,8 @@ The schema dumper adds one additional configuration option: * `config.action_controller.per_form_csrf_tokens` configures whether CSRF tokens are only valid for the method/action they were generated for. +* `config.action_controller.default_protect_from_forgery` determines whether forgery protection is added on `ActionController:Base`. This is false by default, but enabled when loading defaults for Rails 5.2. + * `config.action_controller.relative_url_root` can be used to tell Rails that you are [deploying to a subdirectory](configuring.html#deploy-to-a-subdirectory-relative-url-root). The default is `ENV['RAILS_RELATIVE_URL_ROOT']`. * `config.action_controller.permit_all_parameters` sets all the parameters for mass assignment to be permitted by default. The default value is `false`. -- cgit v1.2.3