Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am a ASP.NET Developer trying to learn Rails and RESTful approach. To understand, I am planning to write a Email client, which would make RESTful GET call to the server to fetch the emails and POST to send an email.
What are the best practices (both generic and/or specific to Rails) to be followed so that, the above application is not exposing any XSRF vulnerabilities.
The Ruby on Rails Security Project has a good post on this.
Essentially, Rails 2.0 and above have built-in protection for XSRF attacks. Every form created via the form helpers includes a hidden field with a special token in it. Each time a POST (or non-GET) is received, the token is checked against a secret on the server. If they don’t match, a security exception is thrown and the request is ignored.
Read the article. They do a better job explaining it.