2

I don't understand why protect_from_forgery is secure. It may provide an authenticity token on every non-GET form. But as I see, it is only static data. I tried to go several pages in my own site to ensure that. If that's the case. Why doesn't the malicious link already include this as coder can obtain it by visiting the site directly? Or the actual authenticity token is randomized over time, just that I haven't tried it for long enough?

Note: I have only tried this in the test environment only.

Huangism
  • 15,324
  • 5
  • 45
  • 64
user3655464
  • 23
  • 2
  • possible duplicate of [Understand Rails Authenticity Token](http://stackoverflow.com/questions/941594/understand-rails-authenticity-token) – jkeuhlen Jul 30 '14 at 14:13

1 Answers1

1

There is a myriad of resources on available on this topic that discusses how protect_from_forgery works and how it makes your application more secure.

As a starting place, there is the rails security guide which discusses this as well as several other topics.

There is also a Wikipedia page that discusses cross site request forgery.

Finally, this question already has a great answer on SO.

Hope these resources help.

Community
  • 1
  • 1
jkeuhlen
  • 4,091
  • 20
  • 35