Ensure forgery protection is enabled

Metadata

ID: ruby-security/rails-csrf

Language: Ruby

Severity: Warning

Category: Security

Description

The rule “Ensure forgery protection is enabled” is a crucial security practice in Ruby development, specifically when designing Rails applications. Cross-Site Request Forgery (CSRF) is a type of attack that tricks the victim into submitting a malicious request. It uses the identity and privileges of the victim to perform an undesired function on their behalf.

To mitigate this type of attack, it is essential to enable forgery protection in your application. In Rails, this is done by adding the protect_from_forgery method in your ApplicationController. This method generates a unique token for every session, and Rails automatically includes this token in all forms and Ajax requests generated by the framework.

If the protect_from_forgery method is not present in your ApplicationController, your application is vulnerable to CSRF attacks. Always ensure that this method is included and properly configured to prevent such security risks.

Learn More

Non-Compliant Code Examples

class VulnerableController < ActionController::Base
  def index
  end
end

Compliant Code Examples

class ApplicationController < ActionController::Base
  protect_from_forgery :with => :exception

  def index
  end
end
class ApplicationController < ActionController::Base
  protect_from_forgery

  def index
  end
end