angular-rails-book icon indicating copy to clipboard operation
angular-rails-book copied to clipboard

Published 20 hours ago verified publisher icon davetron5000

Skipping CSRF protection isn't required

Open Damu112 opened this issue 10 years ago • 2 comments

I guess you should mention that CSRF protection can be enabled by a workaround. The average beginner might not be aware of the consequences of just deactivating this security feature.

stackoverflow has a pretty good workaround.

Damu112 avatar Jan 18 '15 12:01 Damu112

Yup. I'll see about updating the code to account for this. At the time I wasn't aware of how to deal with it.

davetron5000 avatar Feb 08 '15 17:02 davetron5000

In order to follow up on this: It's simply a matter of adding the following code to your application_controller.rb:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception

  after_filter :set_csrf_cookie_for_ng

  def set_csrf_cookie_for_ng
    cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery?
  end

  protected
  def verified_request?
    super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
  end

The rest is automatically handled by Angular when it sees the XSRF-TOKEN cookie. See also the Stackoverflow question Damu112 already mentioned.

thomaskonrad avatar Nov 11 '15 19:11 thomaskonrad