This extension is part of the Rack::Protection project. Run gem install rack-protection to have it available.

Prevented attack


Supported browsers


More infos


This middleware only accepts requests other than GET, HEAD, OPTIONS, TRACE if their given access token matches the token included in the session.

It checks the X-CSRF-Token header and the POST form data.

Compatible with the rack-csrf gem.



the name of the param that should contain the token on a request. Default value: "authenticity_token"


Example: Forms application

To show what the AuthenticityToken does, this section includes a sample program which shows two forms. One with, and one without a CSRF token The one without CSRF token field will get a 403 Forbidden response.

Install the gem, then run the program:

gem install 'rack-protection'
ruby server.rb

Here is server.rb:

require 'rack/protection'

app = do
  use Rack::Session::Cookie, secret: 'secret'
  use Rack::Protection::AuthenticityToken

  run -> (env) do
    [200, {}, [
        <!DOCTYPE html>
        <html lang="en">
          <meta charset="UTF-8" />
          <title>rack-protection minimal example<%rtitle>
          <h1>Without Authenticity Token<%rh1>
          <p>This takes you to <tt>Forbidden</tt><%rp>
          <form action="" method="post">
            <input type="text" name="foo" />
            <input type="submit" />

          <h1>With Authenticity Token</h1>
          <p>This successfully takes you to back to this form.</p>
          <form action="" method="post">
            <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
            <input type="text" name="foo" />
            <input type="submit" />
end app

Example: Customize which POST parameter holds the token

To customize the authenticity parameter for form data, use the :authenticity_param option:

use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'