---
title: Ensure forgery protection is enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Ensure forgery protection is enabled
---

# Ensure forgery protection is enabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `ruby-security/rails-csrf`

**Language:** Ruby

**Severity:** Warning

**Category:** Security

**CWE**: [352](https://cwe.mitre.org/data/definitions/352.html)

## Description{% #description %}

The rule "Ensure forgery protection is enabled" is a crucial security practice in Ruby development, specifically when designing Rails applications. Cross-Site Request Forgery (CSRF) is a type of attack that tricks the victim into submitting a malicious request. It uses the identity and privileges of the victim to perform an undesired function on their behalf.

To mitigate this type of attack, it is essential to enable forgery protection in your application. In Rails, this is done by adding the `protect_from_forgery` method in your `ApplicationController`. This method generates a unique token for every session, and Rails automatically includes this token in all forms and Ajax requests generated by the framework.

If the `protect_from_forgery` method is not present in your `ApplicationController`, your application is vulnerable to CSRF attacks. Always ensure that this method is included and properly configured to prevent such security risks.

#### Learn More{% #learn-more %}

- [Ruby on Rails documentation](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```ruby
class MyController < ApplicationController
  skip_before_action :verify_authenticity_token
  def something
  end
end
```

```ruby
class VulnerableController < ActionController::Base
  def index
  end
end
```

## Compliant Code Examples{% #compliant-code-examples %}

```ruby
class ApplicationController < ActionController::Base
  protect_from_forgery :with => :exception

  def index
  end
end
```

```ruby
class ApplicationController < ActionController::Base
  protect_from_forgery

  def index
  end
end
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}