| Class | Rack::Protection::AuthenticityToken |
| In: |
lib/rack/protection/authenticity_token.rb
|
| Parent: | Base |
| Prevented attack: | CSRF |
| Supported browsers: | all |
| More infos: | en.wikipedia.org/wiki/Cross-site_request_forgery |
This middleware only accepts requests other than GET, HEAD, OPTIONS, TRACE if their given access token matches the token included in the session.
It checks the X-CSRF-Token header and the POST form data.
Compatible with the rack-csrf gem.
To show what the AuthenticityToken does, this section includes a sample program which shows two forms. One with, and one without a CSRF token The one without CSRF token field will get a 403 Forbidden response.
Install the gem, then run the program:
gem install 'rack-protection' ruby server.rb
Here is server.rb:
require 'rack/protection'
app = Rack::Builder.app do
use Rack::Session::Cookie, secret: 'secret'
use Rack::Protection::AuthenticityToken
run -> (env) do
[200, {}, [
<<~EOS
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>rack-protection minimal example</title>
</head>
<body>
<h1>Without Authenticity Token</h1>
<p>This takes you to <tt>Forbidden</tt></p>
<form action="" method="post">
<input type="text" name="foo" />
<input type="submit" />
</form>
<h1>With Authenticity Token</h1>
<p>This successfully takes you to back to this form.</p>
<form action="" method="post">
<input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
<input type="text" name="foo" />
<input type="submit" />
</form>
</body>
</html>
EOS
]]
end
end
Rack::Handler::WEBrick.run app
To customize the authenticity parameter for form data, use the :authenticity_param option:
use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'
| TOKEN_LENGTH | = | 32 |