From f1b38d20c193628216aec649bae3f46d7264ee37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Fri, 4 Sep 2020 16:10:22 +0200
Subject: [PATCH] Enable Origin header check in forgery protection

This is the default in Rails 5 applications.

This option is not enabled by default in existing applications because
it would break applications running on several domains and doing POST
requests between them or running a reverse proxy that rewrites the Host
header. Since those aren't our cases, it's safe to enable it.
---
 config/application.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/application.rb b/config/application.rb
index be07a620c..6c0b838f7 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -11,7 +11,6 @@ module Consul
     config.load_defaults 5.0
 
     # Overwrite Rails 5.0 defaults and use the options we used in Rails 4
-    config.action_controller.forgery_protection_origin_check = nil
     ActiveSupport.to_time_preserves_timezone = false
     config.active_record.belongs_to_required_by_default = false
     config.ssl_options = {}