-1

I have a question which i can't seem to figure out from all the googling. I am building a rails app basically an api app. When i give out post request it returns me with an error 'InvalidAuthenticityToken' so i used 

  skip_before_action :verify_authenticity_token

And after some googling i came to know that it is not recommended to skip this because our app will be vulnerable to CSRF attacks. I am also using doorkeeper gem for my authentication. My question is that even if i have the doorkeeper gem for authentication will my app be still vulnerable to attacks ?

I have also placed this code in my application controller and removed the above code

  protect_from_forgery with: :null_session

Is this safe or can someone say how to properly implement this ?

Amal
  • 190
  • 1
  • 8

1 Answers1

0

It's good to have CSRF attack protection in your app. In api you can add this token to header and pass it between frontend and backend. I used this guide from pragmatic studio to set it up in my application:

https://pragmaticstudio.com/tutorials/rails-session-cookies-for-api-authentication

However, I have no idea how will it work with doorkeeper (haven't used it).

Tomasz S
  • 148
  • 5