The default configuration for Rails’ ActionController::Base does not automatically include the anti-CSRF mechanism, protect_from_forgery. This leaves affected many Rails applications vulnerable to CSRF.
The issue has been mentioned in a Pull Request in Rails. Subsequently, a blog post was published to explore the extent of the impact. More technical information about the issue can be viewed here.
Hi @newbishme and thanks for your highlighting!
If you want you can directly contribute to the project and make a pull request 👍
It would be a pleasure to have our first external contributor :1st_place_medal:
Description of Issue
The default configuration for Rails’
ActionController::Base
does not automatically include the anti-CSRF mechanism,protect_from_forgery
. This leaves affected many Rails applications vulnerable to CSRF.The issue has been mentioned in a Pull Request in Rails. Subsequently, a blog post was published to explore the extent of the impact. More technical information about the issue can be viewed here.
Fix
A reasonable fix has been mentioned both in the Pull Request made in Rails, as well as in this blog post.
An example fix for most Rails Application would be as follows:
And for Rails Applications which are APIs: