Module ActionController::RequestForgeryProtection
In: vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb

Methods

form_authenticity_param   form_authenticity_token   handle_unverified_request   included   protect_against_forgery?   verifiable_request_format?   verified_request?   verify_authenticity_token  

Classes and Modules

Module ActionController::RequestForgeryProtection::ClassMethods

Public Class methods

included(base)

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6
 6:     def self.included(base)
 7:       base.class_eval do
 8:         helper_method :form_authenticity_token
 9:         helper_method :protect_against_forgery?
10:       end
11:       base.extend(ClassMethods)
12:     end

Protected Instance methods

form_authenticity_param()

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 98
 98:       def form_authenticity_param
 99:         params[request_forgery_protection_token]
100:       end
form_authenticity_token()

Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 108
108:       def form_authenticity_token
109:         session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
110:       end
handle_unverified_request()

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 82
82:       def handle_unverified_request
83:         reset_session
84:       end
protect_against_forgery?()

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 112
112:       def protect_against_forgery?
113:         allow_forgery_protection && request_forgery_protection_token
114:       end
verifiable_request_format?()

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 102
102:       def verifiable_request_format?
103:         !request.content_type.nil? && request.content_type.verify_request?
104:       end
verified_request?()

Returns true or false if a request is verified. Checks:

  • is the format restricted? By default, only HTML requests are checked.
  • is it a GET request? Gets should be safe and idempotent
  • Does the form_authenticity_token match the given token value from the params?

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 91
91:       def verified_request?
92:         !protect_against_forgery?                            ||
93:           request.get?                                       ||
94:           form_authenticity_token == form_authenticity_param ||
95:           form_authenticity_token == request.headers['X-CSRF-Token']
96:       end
verify_authenticity_token()

The actual before_filter that is used. Modify this to change how you handle unverified requests.

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 78
78:       def verify_authenticity_token
79:         verified_request? || handle_unverified_request
80:       end

[Validate]