Permalink
Browse files

Add section on CSRF to AC guide

  • Loading branch information...
1 parent 6d12daf commit 4adbaadad362e0a3e30cf9ffbca9c3808561077e @toretore toretore committed Nov 4, 2008
View
30 railties/doc/guides/source/actioncontroller_basics/csrf.txt
@@ -0,0 +1,30 @@
+== Request Forgery Protection ==
+
+Cross-site request forgery is a type of attack in which a site tricks a user into making requests on another site, possibly adding, modifying or deleting data on that site without the user's knowledge or permission. The first step to avoid this is to make sure all "destructive" actions (create, update and destroy) can only be accessed with non-GET requests. If you're following RESTful conventions you're already doing this. However, a malicious site can still send a non-GET request to your site quite easily, and that's where the request forgery protection comes in. As the name says, it protects from forged requests. The way this is done is to add a non-guessable token which is only known to your server to each request. This way, if a request comes in without it, it will be denied access.
+
+If you generate a form like so:
+
+-----------------------------------------
+<% form_for @user do |f| -%>
+ <%= f.text_field :username %>
+ <%= f.text_field :password -%>
+<% end -%>
+-----------------------------------------
+
+You will see how the token gets added as a hidden field:
+
+-----------------------------------------
+<form action="/users/1" method="post">
+<div><!-- ... --><input type="hidden" value="67250ab105eb5ad10851c00a5621854a23af5489" name="authenticity_token"/></div>
+<!-- Fields -->
+</form>
+-----------------------------------------
+
+Rails adds this token to every form that's generated using the link:../form_helpers.html[form helpers], so most of the time you don't have to worry about it. If you're writing a form manually or need to add the token for another reason, it's available through the method `form_authenticity_token`:
+
+.Add a JavaScript variable containing the token for use with Ajax
+-----------------------------------------
+<%= javascript_tag "MyApp.authenticity_token = '#{form_authenticity_token}'" %>
+-----------------------------------------
+
+The link:../security.html[Security Guide] has more about this and a lot of other security-related issues you should be aware of when developing a web application.
View
2 railties/doc/guides/source/actioncontroller_basics/index.txt
@@ -17,6 +17,8 @@ include::filters.txt[]
include::verification.txt[]
+include::csrf.txt[]
+
include::request_response_objects.txt[]
include::http_auth.txt[]

0 comments on commit 4adbaad

Please sign in to comment.