edge badge
Instance Public methods
protect_from_forgery(options = {})

Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.

class ApplicationController < ActionController::Base

class FooController < ApplicationController
  protect_from_forgery except: :index

You can disable forgery protection on controller by skipping the verification before_action:

skip_before_action :verify_authenticity_token

Valid Options:

  • :only/:except - Only apply forgery protection to a subset of actions. Like only: [ :create, :create_all ].

  • :if/:unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.

  • :prepend - By default, the verification of the authentication token is added to the front of the callback chain. If you need to make the verification depend on other callbacks, like authentication methods (say cookies vs OAuth), this might not work for you. Pass prepend: false to just add the verification callback in the position of the #protect_from_forgery call. This means any callbacks added before are run first.

  • :with - Set the method to handle unverified request.

Valid unverified request handling methods are:

  • :exception - Raises ActionController::InvalidAuthenticityToken exception.

  • :reset_session - Resets the session.

  • :null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.

# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 114
def protect_from_forgery(options = {})
  options = options.reverse_merge(prepend: true)

  self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
  self.request_forgery_protection_token ||= :authenticity_token
  before_action :verify_authenticity_token, options
  append_after_action :verify_same_origin_request