When to skip verify_authenticity_token

Question

When to skip verify_authenticity_token

Why do people skip verification and increase the security vulnerability of their application? Is it useful to disable it on pages with only GET requests? Thanks in advance.

+8

ruby-on-rails ruby-on-rails-3

Steve Feb 24 '12 at 23:05

source share

2 answers

If you have an application with cross domains, you may have errors with authtoken checking, and you can disable it, but, of course, your application will not be safe. In rails 3, there are special methods for solving a cross-domain outside the field

+1

ka8725 Feb 24 '12 at 23:37

source share

user1027503 · Accepted Answer · 2012-02-25T00:39:09+0000

CRSF check already skipped for GET request in rails

http://guides.rubyonrails.org/security.html

3.1 CSRF Countermeasures - First, as required by the W3C, use GET and POST, respectively. Secondly, the security token in requests other than GET will protect your application from CSRF.

You can also see the method itself.

http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-verify_authenticity_token

.... Also, GET requests are not protected as these should be idempotent. .... verified_request?() Returns true or false if a request is verified. Checks: is it a GET request? Gets should be safe and idempotent

When to skip verify_authenticity_token

More articles: