Rails integration for AngularJS style CSRF protection
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib Version 3.2.0 May 15, 2018
test Allow custom cookie name to be set (#34) May 15, 2018
.gitignore Exclude for certain actions and revert for after_filter. Closes #17 (#25 Sep 29, 2016
.travis.yml try with install Apr 10, 2018
CHANGELOG.md Version 3.2.0 May 15, 2018
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md Jan 16, 2018
Gemfile update rubies Jan 16, 2018
LICENSE some docs Jan 16, 2018
README.md Version 3.2.0 May 15, 2018
Rakefile Version 1.0.0 Dec 13, 2013
angular_rails_csrf.gemspec support for rails 5.2.0 Apr 10, 2018


AngularJS-style CSRF Protection for Rails

Gem Version Build Status

The AngularJS ng.$http service has built-in CSRF protection. By default, it looks for a cookie named XSRF-TOKEN and, if found, writes its value into an X-XSRF-TOKEN header, which the server compares with the CSRF token saved in the user's session.

This project adds direct support for this scheme to your Rails application without requiring any changes to your AngularJS application. It also doesn't require the use of csrf_meta_tags to write a CSRF token into your page markup, so it works for pure JSON API applications.

Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.

Version 3 supports only Rails 4+ and Ruby 2.3+. If you are still on Rails 3 (2, 1?!), you have to utilize version 2.1.1!


Add this line to your application's Gemfile:

gem 'angular_rails_csrf'

And then execute:

$ bundle

That's it!


Cookie Name

The default cookie's name is XSRF-TOKEN but it can be configured with the angular_rails_csrf_cookie_name setting:

# application.rb
class Application < Rails::Application
  config.angular_rails_csrf_cookie_name = 'CUSTOM_NAME'

Cookie Domain

Starting from version 3, you may set domain for the XSRF cookie:

# application.rb
class Application < Rails::Application
  config.angular_rails_csrf_domain = :all

If angular_rails_csrf_domain is not set, it defaults to nil.


Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed here):

class ExclusionsController < ApplicationController
  # your actions here...



$ bundle install

and then

$ rake test


Licensed under the MIT License.