From 85783534fcf1baefa5b502a2bfee235ae6d612d7 Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@users.noreply.github.com>
Date: Wed, 25 Nov 2015 15:06:12 -0700
Subject: Add option to verify Origin header in CSRF checks

---
 guides/source/configuring.md | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'guides')

diff --git a/guides/source/configuring.md b/guides/source/configuring.md
index 28388e4957..6d3ca8baac 100644
--- a/guides/source/configuring.md
+++ b/guides/source/configuring.md
@@ -345,6 +345,8 @@ The schema dumper adds one additional configuration option:
 
 * `config.action_controller.allow_forgery_protection` enables or disables CSRF protection. By default this is `false` in test mode and `true` in all other modes.
 
+* `config.action_controller.forgery_protection_origin_check` configures whether the HTTP `Origin` header should be checked against the site's origin as an additional CSRF defense.
+
 * `config.action_controller.relative_url_root` can be used to tell Rails that you are [deploying to a subdirectory](configuring.html#deploy-to-a-subdirectory-relative-url-root). The default is `ENV['RAILS_RELATIVE_URL_ROOT']`.
 
 * `config.action_controller.permit_all_parameters` sets all the parameters for mass assignment to be permitted by default. The default value is `false`.
-- 
cgit v1.2.3