Ensure forgery protection is enabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: ruby-security/rails-csrf
Language: Ruby
Severity: Warning
Category: Security
CWE: 352
Description
The rule “Ensure forgery protection is enabled” is a crucial security practice in Ruby development, specifically when designing Rails applications. Cross-Site Request Forgery (CSRF) is a type of attack that tricks the victim into submitting a malicious request. It uses the identity and privileges of the victim to perform an undesired function on their behalf.
To mitigate this type of attack, it is essential to enable forgery protection in your application. In Rails, this is done by adding the protect_from_forgery method in your ApplicationController. This method generates a unique token for every session, and Rails automatically includes this token in all forms and Ajax requests generated by the framework.
If the protect_from_forgery method is not present in your ApplicationController, your application is vulnerable to CSRF attacks. Always ensure that this method is included and properly configured to prevent such security risks.
Learn More
Non-Compliant Code Examples
class VulnerableController < ActionController::Base
def index
end
end
Compliant Code Examples
class ApplicationController < ActionController::Base
protect_from_forgery :with => :exception
def index
end
end
class ApplicationController < ActionController::Base
protect_from_forgery
def index
end
end
