Cross-site Request Forgery & csrf_meta_tags

Cross-site Request Forgery

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF , is a type of malicious exploit of a website from a user that the web application trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. - from wiki

Simply put, we can say CSRF is a malicious user induce the log in user to send a request to the server to trigger unexpected result. For example, a malicious person want to make a user to delete some information on certain site. The malicious person can send the user a mail including link like "Get your free iPhoneX today!", but actually the link will send a Delete request to the server. If the user has signed in the website, the request will delete the data.

csrf_meta_tags

In Rails, we will add the csrf_meta_tags to precent CSRF. The tag will returns meta tags csrf-param and csrf-token with the name of the cross-site request forgery protection parameter and token, respectively.

Cross-site Request Forgery

Cross-site Request Forgery & csrf_meta_tags

Cross-site Request Forgery

csrf_meta_tags

results matching ""

No results matching ""