The default configuration for Rails’ ActionController::Base does not automatically include the anti-CSRF mechanism, protect_from_forgery. This leaves affected many Rails applications vulnerable to CSRF.
The issue has been mentioned in a Pull Request in Rails. Subsequently, a blog post was published to explore the extent of the impact. More technical information about the issue can be viewed here.
Description of Issue
The default configuration for Rails’
ActionController::Basedoes not automatically include the anti-CSRF mechanism,protect_from_forgery. This leaves affected many Rails applications vulnerable to CSRF.The issue has been mentioned in a Pull Request in Rails. Subsequently, a blog post was published to explore the extent of the impact. More technical information about the issue can be viewed here.
Fix
A reasonable fix has been mentioned both in the Pull Request made in Rails, as well as in this blog post.
An example fix for most Rails Application would be as follows:
And for Rails Applications which are APIs: