From 4fe9d4cbcf681acbe5a2b6fef7e93603e1a7b96a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Sat, 15 Jul 2023 14:28:42 +0200 Subject: [PATCH] Use URL-safe CSRF tokens and SameSite in cookies These measures increase protection against CSRF ataks. The only reason Rails provides them as a configuration option is there are complex applications that run one version of the code in some servers while running an old version of the code in other servers might run into issues because the the old version won't handle the tokens or cookies generated by the new version. Since most Consul applications use just one server and the ones with more servers would only face this issue for a few seconds (while upgrading to a new version of Consul Democracy), we can safely enable these configuration options. --- config/initializers/new_framework_defaults_6_1.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/new_framework_defaults_6_1.rb b/config/initializers/new_framework_defaults_6_1.rb index 9e2590862..02fdb8b78 100644 --- a/config/initializers/new_framework_defaults_6_1.rb +++ b/config/initializers/new_framework_defaults_6_1.rb @@ -23,13 +23,13 @@ Rails.application.config.active_job.skip_after_callbacks_if_terminated = true # # This change is not backwards compatible with earlier Rails versions. # It's best enabled when your entire app is migrated and stable on 6.1. -# Rails.application.config.action_dispatch.cookies_same_site_protection = :lax +Rails.application.config.action_dispatch.cookies_same_site_protection = :lax # Generate CSRF tokens that are encoded in URL-safe Base64. # # This change is not backwards compatible with earlier Rails versions. # It's best enabled when your entire app is migrated and stable on 6.1. -# Rails.application.config.action_controller.urlsafe_csrf_tokens = true +Rails.application.config.action_controller.urlsafe_csrf_tokens = true # Specify whether `ActiveSupport::TimeZone.utc_to_local` returns a time with an # UTC offset or a UTC time.