AngularJS-style CSRF Protection for Rails
The AngularJS ng.$http service has built-in CSRF protection. By default, it looks for a cookie named
XSRF-TOKEN and, if found, writes its value into an
X-XSRF-TOKEN header, which the server compares with the CSRF token saved in the user's session.
This project adds direct support for this scheme to your Rails application without requiring any changes to your AngularJS application. It also doesn't require the use of
csrf_meta_tags to write a CSRF token into your page markup, so it works for pure JSON API applications.
Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.
Version 3 supports only Rails 4+ and Ruby 2.3+. If you are still on Rails 3 (2, 1?!), you have to utilize version 2.1.1!
Add this line to your application's Gemfile:
And then execute:
The default cookie's name is
XSRF-TOKEN but it can be configured with the
# application.rb class Application < Rails::Application #... config.angular_rails_csrf_cookie_name = 'CUSTOM_NAME' end
Starting from version 3, you may set domain for the XSRF cookie:
# application.rb class Application < Rails::Application #... config.angular_rails_csrf_domain = :all end
angular_rails_csrf_domain is not set, it defaults to
Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed here):
class ExclusionsController < ApplicationController exclude_xsrf_token_cookie # your actions here... end
$ bundle install
$ rake test
Licensed under the MIT License.