Class | Rack::Protection::AuthenticityToken |
In: |
lib/rack/protection/authenticity_token.rb
|
Parent: | Base |
Prevented attack: | CSRF |
Supported browsers: | all |
More infos: | en.wikipedia.org/wiki/Cross-site_request_forgery |
This middleware only accepts requests other than GET, HEAD, OPTIONS, TRACE if their given access token matches the token included in the session.
It checks the X-CSRF-Token header and the POST form data.
Compatible with the rack-csrf gem.
To show what the AuthenticityToken does, this section includes a sample program which shows two forms. One with, and one without a CSRF token The one without CSRF token field will get a 403 Forbidden response.
Install the gem, then run the program:
gem install 'rack-protection' ruby server.rb
Here is server.rb:
require 'rack/protection' app = Rack::Builder.app do use Rack::Session::Cookie, secret: 'secret' use Rack::Protection::AuthenticityToken run -> (env) do [200, {}, [ <<~EOS <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>rack-protection minimal example</title> </head> <body> <h1>Without Authenticity Token</h1> <p>This takes you to <tt>Forbidden</tt></p> <form action="" method="post"> <input type="text" name="foo" /> <input type="submit" /> </form> <h1>With Authenticity Token</h1> <p>This successfully takes you to back to this form.</p> <form action="" method="post"> <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" /> <input type="text" name="foo" /> <input type="submit" /> </form> </body> </html> EOS ]] end end Rack::Handler::WEBrick.run app
To customize the authenticity parameter for form data, use the :authenticity_param option:
use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
TOKEN_LENGTH | = | 32 |