This extension is part of the Rack::Protection project. Run gem install rack-protection to have it available.


Prevented attack

CSRF

Supported browsers

Google Chrome 2, Safari 4 and later

More infos

en.wikipedia.org/wiki/Cross-site_request_forgery tools.ietf.org/html/draft-abarth-origin

</dl>

Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or permitted URIs.

If you want to permit a specific domain, you can pass in as the `:permitted_origins` option:

use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]

The `:allow_if` option can also be set to a proc to use custom allow/deny logic.