From 611d729080742d9f1d95d2b2eb9533ea3bdd36de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Fri, 4 Sep 2020 16:10:01 +0200
Subject: [PATCH] Enable per form CSRF tokens

This is the default for new Rails application, and adds an extra layer
of security since now the token will only be valid for its action, and
so attackers managing to change the form action will not do any harm
since the CSRF token will not work for the attackers' action.

Note that we've had InvalidAuthenticityToken exceptions for years; if we
keep getting them, chances are this change is *not* related.
---
 config/application.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/application.rb b/config/application.rb
index 6747e0880..be07a620c 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -11,7 +11,6 @@ module Consul
     config.load_defaults 5.0
 
     # Overwrite Rails 5.0 defaults and use the options we used in Rails 4
-    config.action_controller.per_form_csrf_tokens = nil
     config.action_controller.forgery_protection_origin_check = nil
     ActiveSupport.to_time_preserves_timezone = false
     config.active_record.belongs_to_required_by_default = false