What if i’m using rails as api, so my frontend is seperated from rails can i still prevent csrf and how?
So lets take an example where we use ember for frontend and rails as api.
In this case, apart from adding
protect_from_forgery in application controller you have to do additional three things.
One you have to add the following code in application controller:
Here we are sending the newly generated
form_authenticity_token in the response of xhr request(ajax- XMLHttpRequest)
request.xhr? is to ensure that it is ajax request, we would not want to send the token to any other request right.
Two you have to set this new token in meta tag by extracting it from the response.
Third you will send csrf token in the request header by extracting it from the meta tag.
you can achieve two and three by adding following code in
app.js of ember
Why change csrf token in header on every post request and not only when session changes?
If it were to change token only when session changes there would be an extra overhead to trigger session change and then generate csrf token and set in header.
It is a lot easier to randomally generate csrf token using
session[:_csrf_token] on every post request.
- 13 Nov 2017 Sheet, Comparison of frontend js frameworks.
- 11 Nov 2017 Why is it so hard to develop good software?
- 04 Sep 2017 Is Graphql here to replace REST Api
- 05 Jun 2017 My awesome list of english songs
- 29 May 2017 Troll software intern
- 17 May 2017 What is icon font and why use it over png.
- 16 May 2017 Philosophical difference between ruby and python.
- 15 May 2017 Given an array, find number of subsets with k elements, where absolute difference between the maximum and mininmum element is at most x
- 15 May 2017 Automated testing of google autocomplete using cucumber and capybara
- 15 May 2017 How to manage assets in rails, difference between app, vendor and lib assets, what is asset pipeline?
- 15 May 2017 Swap elements in dom by drag and drop.
- 15 May 2017 What are the options with which protect_with_forgery is called?
- 15 May 2017 How to add csrf in ember app.
- 15 May 2017 Sessions and csrf in rails.
- 15 May 2017 Best practices while using ooor gem for making rpc calls to odoo(openerp) from ruby framework
- 09 May 2017 Integrate paytm payment with rails app
- 08 May 2017 Automated deployment on github pages using jekyll themes.
- 01 May 2017 How to add inline image in gmail.
- 01 May 2017 Undefined method `user_confirmation_path' error with devise rails.