Inside one of my controllers, I write the following to protect certain pages from CSRF.
protect_from_forgery :only => [:foo, :bar]
When I load the URL corresponding to fooand bar, and I view the HTML, I do not see any hidden input fields or meta tags containing any security tokens, as described here .
However, during testing, I noticed that it is CSRFnot effective against these pages, although it is effective against other pages in the same application that are not protected.
So where Rails 4does it store the security token that is used to verify that the request came from the original page?
Note that I already read the Ruby On Rails Security Guide , and the section protect_from_forgerysays:
This automatically includes a security token in all forms and Ajax requests created by Rails. If the security token does not match what was expected, the session will be reset.
The problem is that this security token is not present on forms on pages with CSRF protection enabled, although CSRF is really not effective against them.
Note that this code is from a project in which one of the targets is a click attack to bypass the CSRF project. The question I ask here is orthogonal to the purpose of the assignment.
I'm just wondering how Rails does CSRF.
rails server , URL-, , http://localhost:3000/protected_transfer.