Home/ Questions/Q 7761401
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T14:07:34+00:00

How can I retrieve the CSRF token to pass with a JSON request? I

  • 0

How can I retrieve the CSRF token to pass with a JSON request?

I know that for security reasons Rails is checking the CSRF token on all the request types (including JSON/XML).

I could put in my controller skip_before_filter :verify_authenticity_token, but I would lose the CRSF protection (not advisable 🙂 ).

This similar (still not accepted) answer suggests to

Retrieve the token with <%= form_authenticity_token %>

The question is how? Do I need to do a first call to any of my pages to retrieve the token and then do my real authentication with Devise? Or it is an information one-off that I can get from my server and then use consistently (until I manually change it on the server itself)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    EDIT:

    In Rails 4 I now use what @genkilabs suggests in the comment below:

    protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.format == 'application/json' }

    Which, instead of completely turning off the built in security, kills off any session that might exist when something hits the server without the CSRF token.

    skip_before_filter :verify_authenticity_token, :if => Proc.new { |c| c.request.format == 'application/json' }

    This would turn off the CSRF check for json posts/puts that have properly been marked as such.

    For example, in iOS setting the following to your NSURLRequest where “parameters” are your parameters:

    [request setHTTPMethod:@"POST"];

[request setValue:@"application/json" 
       forHTTPHeaderField:@"content-type"];

[request setValue:@"application/json" 
       forHTTPHeaderField:@"accept"];

[request setHTTPBody:[NSData dataWithBytes:[parameters UTF8String] 
                                            length:[parameters length]]];
    • 0