Home/ Questions/Q 7962003
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T05:12:38+00:00

I have an existing rails backend website which makes json calls to server. Now,I

  • 0

I have an existing rails backend website which makes json calls to server. Now,I am developing a mobile iOS app to use the same backend and send calls in json. However, mobile requests are failing with:

WARNING: Can't verify CSRF token authenticity

Searching around stackoverflow, many suggested to disable csrf checks for json calls by using something like this:

# Or this in your application_controller.rb
def verified_request?
  if request.content_type == "application/json"
    true
  else
    super()
  end
end

But my question is , I dont understand how does this prevent csrf attacks in json format? Attacker can always send a json request to our endpoint from their site. Anyone has insights into this? I couldn’t find any clear answer to this.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What you are describing is very easy to exploit using Flash:

            var request:URLRequest = new URLRequest("http://stackoverflow.com"); 
        request.requestHeaders.push(new URLRequestHeader('Content-Type', 'application/json'));      
        request.data = unescape('{"a":1,"b":{"c":3}}');
        request.method = URLRequestMethod.POST;
        navigateToURL(request, '_blank');

    If you look at the CSRF prevention cheat sheet you can check the referer to make sure its from a domain you trust. If the referer is blank then it could be originating from a https url, so that should be considered a failure. Relying on Ruby’s CSRF token is a stronger form a CSRF protection.

    • 0