Enable Origin header check in forgery protection
This is the default in Rails 5 applications. This option is not enabled by default in existing applications because it would break applications running on several domains and doing POST requests between them or running a reverse proxy that rewrites the Host header. Since those aren't our cases, it's safe to enable it.
This commit is contained in:
Javi Martín
@@ -11,7 +11,6 @@ module Consul
|
||||
config.load_defaults 5.0
|
||||
|
||||
# Overwrite Rails 5.0 defaults and use the options we used in Rails 4
|
||||
config.action_controller.forgery_protection_origin_check = nil
|
||||
ActiveSupport.to_time_preserves_timezone = false
|
||||
config.active_record.belongs_to_required_by_default = false
|
||||
config.ssl_options = {}
|
||||
|
||||
Reference in New Issue
Block a user