From 245941101b1ea00a9b1af613c20b0ee994a43946 Mon Sep 17 00:00:00 2001
From: Sergey Nartimov <just.lest@gmail.com>
Date: Fri, 9 Mar 2012 19:33:06 +0300
Subject: configure how unverified request will be handled

can be configured using `:with` option in `protect_from_forgery` method
or `request_forgery_protection_method` config option

possible values:
- :reset_session (default)
- :exception

new applications are generated with:

    protect_from_forgery :with => :exception
---
 .../rails/app/templates/app/controllers/application_controller.rb     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'railties/lib')

diff --git a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb
index e8065d9505..b3d6adad2a 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb
+++ b/railties/lib/rails/generators/rails/app/templates/app/controllers/application_controller.rb
@@ -1,3 +1,5 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery
+  # prevent CSRF attacks by raising an exception,
+  # if your application has an API, you'll probably need to use :reset_session
+  protect_from_forgery :with => :exception
 end
-- 
cgit v1.2.3