Rails Can t verify CSRF token authenticity when making a POST request

Question

I want to make POST request to my local dev  like this     HTTParty post  http   localhost 3000 fetch heroku                    body   gt    type   gt   product       However  from the server console it reports   Started POST   fetch heroku  for 127 0 0 1 at 2016-02-03 23 33 39  0800   ActiveRecord  SchemaMigration Load  0 0ms   SELECT  schema migrations    FROM  schema migrations  Processing by AdminController fetch heroku as       Parameters    type   gt  product   Can t verify CSRF token authenticity Completed 422 Unprocessable Entity in 1ms   Here is my controller and routes setup  it s quite simple      def fetch heroku     if params  type      product        flash  alert     Fetch Product From Heroku        Heroku get product     end   end    post  fetch heroku    gt   admin fetch heroku    I m not sure what I need to do  To turn off the CSRF would certainly work  but I think it should be my mistake when creating such an API   Is there any other setup I need to do

User · Answer

The simplest solution for the problem is do standard things in your controller or you can directely put it into ApplicationController

class ApplicationController < ActionController::Base protect_from_forgery with: :exception, prepend: true end

User · Answer

Another way to turn off CSRF that won t render a null session is to add   skip before action  verify authenticity token   in your Rails Controller  This will ensure you still have access to session info    Again  make sure you only do this in API controllers or in other places where CSRF protection doesn t quite apply

User · Answer

Cross site request forgery  CSRF XSRF  is when a malicious web page tricks users into performing a request that is not intended for example by using bookmarklets  iframes or just by creating a page which is visually similar enough to fool users   The Rails CSRF protection is made for   classical  web apps - it simply gives a degree of assurance that the request originated from your own web app  A CSRF token works like a secret that only your server knows - Rails generates a random token and stores it in the session  Your forms send the token via a hidden input and Rails verifies that any non GET request includes a token that matches what is stored in the session   However an API is usually by definition cross site and meant to be used in more than your web app  which means that the whole concept of CSRF does not quite apply   Instead you should use a token based strategy of authenticating API requests with an API key and secret since you are verifying that the request comes from an approved API client - not from your own app   You can deactivate CSRF as pointed out by  dcestari   class ApiController  lt  ActionController  Base   protect from forgery with   null session end   Updated  In Rails 5 you can generate API only applications by using the --api option    rails new appname --api   They do not include the CSRF middleware and many other components that are superflouus     http   guides rubyonrails org security html cross-site-request-forgery-csrf https   labs kollegorna se blog 2015 04 build-an-api-now  WARNING  Can  39 t verify CSRF token authenticity rails

User · Answer

There is relevant info on a configuration of CSRF with respect to API controllers on api rubyonrails org             It s important to remember that XML or JSON requests are also affected and if you re building an API you should change forgery protection method in ApplicationController  by default   exception    class ApplicationController  lt  ActionController  Base   protect from forgery unless  - gt    request format json    end       We may want to disable CSRF protection for APIs since they are typically designed to be state-less  That is  the request API client will handle the session for you instead of Rails

User · Answer

If you want to exclude the sample controller s sample action  class TestController  lt  ApplicationController   protect from forgery  except   gt    sample     def sample      render json   hogehoge   end end   You can to process requests from outside without any problems

User · Answer

Since Rails 5 you can also create a new class with   API instead of   Base  class ApiController  lt  ActionController  API end

User · Answer

If you only want to skip CSRF protection for one or more controller actions  instead of the entire controller   try this skip before action  verify authenticity token  only   webhook   index   create   Where   webhook   index   create  will skip the check for those 3 actions  but you can change to whichever you want to skip

User · Answer

If you re using Devise  please note that  For Rails 5  protect from forgery is no longer prepended to the before action chain  so if you have set authenticate user before protect from forgery  your request will result in  quot Can t verify CSRF token authenticity  quot  To resolve this  either change the order in which you call them  or use protect from forgery prepend  true   Documentation

[ruby-on-rails] Rails: Can't verify CSRF token authenticity when making a POST request

Examples related to ruby-on-rails