You can send the CSRF token to the headers, ANYTHING is a bad practice that reveals some security holes ( issue a stream on github, explaining why )
The safest way to do this is to disable CSRF together:
class ApplicationController < ActionController::Base
And use token based authentication, which you can implement yourself or use devess: token_authenticatable. You will need to configure AngularJS to send the token in either the parameters or the headers. Here is a snippet that I use to define rails if the token is in the headers or parameters.
class Api::BaseController < ApplicationController prepend_before_filter :get_auth_token private def get_auth_token if auth_token = params[:auth_token].blank? && request.headers["X-AUTH-TOKEN"] params[:auth_token] = auth_token end end end
So in the end how it works:
- The client uses the login method that you defined for authentication
- Gets the authentication token from the server
- Uses a token in each subsequent request for authorization
source share