Friday, November 27, 2015

CSRF Protection: When It Breaks, It Breaks Very Quietly

CSRF Protection

Cross-site request forgery (CSRF) is tricking the browser with a malicious (or compromised) site B to access something on site A.  Since requests for site A would include site A's cookie whether requested by A or not, an image tag or embedded JavaScript on site B can submit some requests on site A that a logged-in user can do, like accessing private info with the appropriate POST parameters to make it happen. Rails has a mechanism that defends against CSRF: all one should to do is include a few lines of code as:

class ApplicationController < ActionController::Base
  protect_from_forgery
end

class FooController < ApplicationController
  protect_from_forgery except: :index

Rails will then basically generate cryptographically secure random number, totally transparently to the developer; it is called the CSRF token.


No comments:

Post a Comment