Class | Rack::Protection::HttpOrigin |
In: |
lib/rack/protection/http_origin.rb
|
Parent: | Base |
Prevented attack: | CSRF |
Supported browsers: | Google Chrome 2, Safari 4 and later |
More infos: | en.wikipedia.org/wiki/Cross-site_request_forgery tools.ietf.org/html/draft-abarth-origin |
Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or whitelisted URIs.
If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
DEFAULT_PORTS | = | { 'http' => 80, 'https' => 443, 'coffee' => 80 } |