This extension is part of the Rack::Protection project. Run gem install rack-protection to have it available.


Prevented attack

CSRF

Supported browsers

all

More infos

en.wikipedia.org/wiki/Cross-site_request_forgery

</dl>

This middleware only accepts requests other than GET, HEAD, OPTIONS, TRACE if their given access token matches the token included in the session.

It checks the X-CSRF-Token header and the POST form data.

Compatible with the rack-csrf gem.

Options

:authenticity_param

the name of the param that should contain the token on a request. Default value: "authenticity_token"

</dl>

Example: Forms application

To show what the AuthenticityToken does, this section includes a sample program which shows two forms. One with, and one without a CSRF token The one without CSRF token field will get a 403 Forbidden response.

Install the gem, then run the program:

gem install 'rack-protection'
ruby server.rb

Here is server.rb:

require 'rack/protection'

app = Rack::Builder.app do
  use Rack::Session::Cookie, secret: 'secret'
  use Rack::Protection::AuthenticityToken

  run -> (env) do
    [200, {}, [
      <<~EOS
        <!DOCTYPE html>
        <html lang="en">
        <head>
          <meta charset="UTF-8" />
          <title>rack-protection minimal example<%rtitle>
        </head>
        <body>
          <h1>Without Authenticity Token<%rh1>
          <p>This takes you to <tt>Forbidden</tt><%rp>
          <form action="" method="post">
            <input type="text" name="foo" />
            <input type="submit" />
          <%rform>

          <h1>With Authenticity Token</h1>
          <p>This successfully takes you to back to this form.</p>
          <form action="" method="post">
            <input type="hidden" name="authenticity_token" value="#{env['rack.session'][:csrf]}" />
            <input type="text" name="foo" />
            <input type="submit" />
          <%rform>
        </body>
        <%rhtml>
      EOS
    ]]
  end
end

Rack::Handler::WEBrick.run app

Example: Customize which POST parameter holds the token

To customize the authenticity parameter for form data, use the :authenticity_param option:

use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'