Class Rack::Protection::AuthenticityToken
In: lib/rack/protection/authenticity_token.rb
Parent: Base
Prevented attack:CSRF
Supported browsers:all
More infos:en.wikipedia.org/wiki/Cross-site_request_forgery

This middleware only accepts requests other than GET, HEAD, OPTIONS, TRACE if their given access token matches the token included in the session.

It checks the X-CSRF-Token header and the POST form data.

Compatible with the rack-csrf gem.

Options

:authenticity_param
the name of the param that should contain the token on a request. Default value: "authenticity_token"

Example: Forms application

To show what the AuthenticityToken does, this section includes a sample program which shows two forms. One with, and one without a CSRF token The one without CSRF token field will get a 403 Forbidden response.

Install the gem, then run the program:

  gem install 'rack-protection'
  ruby server.rb

Here is server.rb:

  require 'rack/protection'

  app = Rack::Builder.app do
    use Rack::Session::Cookie, secret: 'secret'
    use Rack::Protection::AuthenticityToken

    run -> (env) do
      [200, {}, [
        <<~EOS
          <!DOCTYPE html>
          <html lang="en">
          <head>
            <meta charset="UTF-8" />
            <title>rack-protection minimal example</title>
          </head>
          <body>
            <h1>Without Authenticity Token</h1>
            <p>This takes you to <tt>Forbidden</tt></p>
            <form action="" method="post">
              <input type="text" name="foo" />
              <input type="submit" />
            </form>

            <h1>With Authenticity Token</h1>
            <p>This successfully takes you to back to this form.</p>
            <form action="" method="post">
              <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
              <input type="text" name="foo" />
              <input type="submit" />
            </form>
          </body>
          </html>
        EOS
      ]]
    end
  end

  Rack::Handler::WEBrick.run app

Example: Customize which POST parameter holds the token

To customize the authenticity parameter for form data, use the :authenticity_param option:

  use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'

Methods

Constants

TOKEN_LENGTH = 32

Public Class methods

Public Instance methods

[Validate]