What is CSRF? How does Rails protect against it?

-

What is CSRF? How does Rails protect against it?




CSRF stands for Cross-Site Request Forgery. This is a form of an attack where the attacker submits a form on your behalf to a different website, potentially causing damage or revealing sensitive information. Since browsers will automatically include cookies for a domain on a request, if you were recently logged in to the target site, the attacker's request will appear to come from you as a logged-in user (as your session cookie will be sent with the POST request).

In order to protect against CSRF attacks, you can add protect_from_forgery to your ApplicationController. This will then cause Rails to require a CSRF token to be present before accepting any POST, PUT, or DELETE requests. The CSRF token is included as a hidden field in every form created using Rails' form builders. It is also included as a header in GET requests so that other, non-form-based mechanisms for sending a POST can use it as well. Attackers are prevented from stealing the CSRF token by browsers' "same origin" policy.

Comments

Post a Comment

Popular posts from this blog

Discuss the seven characteristics of useful information.

-
Discuss the seven characteristics of useful information. Answer: The seven characteristics of useful information are: relevant, reliable, complete, timely, understandable, verifiable and accessible. These characteristics are qualities that information should possess to be useful in a business environment. Briefly stated, in order for information to be useful it must be: 1) relevant, meaning that it reduces uncertainty and adds to the decision-making process; 2) reliable information is information that is free from error, and is accurate in its nature; 3) complete information is information that does not omit any important data, facts, or aspects about events or activities; 4) information is timely when it is fully available to enable the decision-making process to proceed; 5) understandable information must be both in an intelligible and useful format; 6) information is considered verifiable if two people, acting independently of each other, produce the same inform
Read more

Why have accounting software packages been designed with separate transaction modules?

-
Why have accounting software packages been designed with separate transaction modules? Answer: : Since every organization does not necessarily use all of the transaction cycles in its operations, it is to the advantage of the organization to be able to "pick and choose" from among various software modules that track and record different transaction cycles. For example, a law firm would have no need to implement a production cycle module. Also, the nature of a transaction cycle varies across the broad spectrum of business organizations. Again, a law firm would have a revenue cycle, but it would not involve the purchase, receipt, and payment for products or merchandise; likewise a retail store chain may not sell any consulting services to its customers.
Read more

A laboratory assistant prepared solution of 0.8 M, 0.6 M, 0.4 M, and 0.2 M sucrose, but forgot to label them. After realizing the error, the assistant randomly labeled the flasks containing these four unknown solutions as flask A, flask B, flask C, and flask D.

-
A laboratory assistant prepared solution of 0.8 M, 0.6 M, 0.4 M, and 0.2 M sucrose, but forgot to label them. After realizing the error, the assistant randomly labeled the flasks containing these four unknown solutions as flask A, flask B, flask C, and flask D. Design an experiment, based on the principles of diffusion and osmosis, that the assistant could use to determine which of the flasks contains each of the four unknown solutions. Include in your answer (a) a description of how you would set up and perform the experiment: (b) the results you would expect from your experiments: and (c) an explanation of those results based on the principles involved. (Be sure to clearly state the principles addressed in your discussion.)
Read more