Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of Rails anti-CSRF defaults when Controller is inherited from ActionController::Base #1

Open
newbishme opened this issue Mar 21, 2017 · 0 comments
Open

Lack of Rails anti-CSRF defaults when Controller is inherited from ActionController::Base #1

newbishme opened this issue Mar 21, 2017 · 0 comments

Comments

@newbishme
Copy link

Description of Issue

The default configuration for Rails’ ActionController::Base does not automatically include the anti-CSRF mechanism, protect_from_forgery. This leaves affected many Rails applications vulnerable to CSRF.

The issue has been mentioned in a Pull Request in Rails. Subsequently, a blog post was published to explore the extent of the impact. More technical information about the issue can be viewed here.

Fix

A reasonable fix has been mentioned both in the Pull Request made in Rails, as well as in this blog post.

An example fix for most Rails Application would be as follows:

class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+

And for Rails Applications which are APIs:

class ApplicationController < ActionController::Base
+    protect_from_forgery with: :null_session
+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@newbishme