Enable per form CSRF tokens
This is the default for new Rails application, and adds an extra layer of security since now the token will only be valid for its action, and so attackers managing to change the form action will not do any harm since the CSRF token will not work for the attackers' action. Note that we've had InvalidAuthenticityToken exceptions for years; if we keep getting them, chances are this change is *not* related.
This commit is contained in:
Javi Martín
@@ -11,7 +11,6 @@ module Consul
|
||||
config.load_defaults 5.0
|
||||
|
||||
# Overwrite Rails 5.0 defaults and use the options we used in Rails 4
|
||||
config.action_controller.per_form_csrf_tokens = nil
|
||||
config.action_controller.forgery_protection_origin_check = nil
|
||||
ActiveSupport.to_time_preserves_timezone = false
|
||||
config.active_record.belongs_to_required_by_default = false
|
||||
|
||||
Reference in New Issue
Block a user