CSRF measures in Rails

At the beginning

Recently, I started developing an app that consists of Vue for the front and Ruby for the back. Since the front desk became Vue, I decided to write CSRF measures myself, but I was curious about the mechanism of CSRF measures that Rails would do without permission, so I investigated it.

What is CSRF?

--Abbreviation for Cross Site Request Forgeries. --By following a link on another site, the user launches an attack on the logged-in web application. Request Forgeries because it impersonates the request. The specific flow is described below.

ex)

  1. User A logs in to the web app.
  2. The cookie is stored in the browser you are using.
  3. After that, cookie is sent for each host. (Cookies are sent only to the host that issued them)
  4. Here, malicious user B sets up a link to another site.
  5. User A steps on the link.
  6. Since the Web application side determines that user A is logged in as long as the session is valid, it receives the request exactly as it was set in the link. (Withdrawal, purchase of products, etc.)

Basically, it is necessary to issue a security token for operations other than GET (query, read, search).

Measures with Rails

form_with, form_tag

Rails includes a security token as standard in the information sent from the form tag. If you use a helper such as form_with, it will automatically issue and verify tokens as shown below. <input type="hidden" name="authenticity_token" ...>

protect_from_forgery

By writing on the controller side, it will check if the security token is correct for the action. If you want to change the data from the client side, you need to use except and take CSRF measures by other methods.

CSRF measures in Ajax request

Rails also provides some security token support in Ajax. When making an Ajax request by JavaScript, it seems that Rails issues a security token first and sends it by JS. (HTTP header called X-CSRF-Token)

To issue a security token on the Rails side, call csrf_meta_tags. When you include a security token in Ajax, it will be done automatically in the Ajax request using rails-ujs.

At the end

I'm grateful that Rails did a good job behind the scenes. Next, I would like to summarize the CSRF measures when a request is skipped from the client side.

Articles that I used as a reference

Rails Security Guide (https://railsguides.jp/security.html)

Recommended Posts

CSRF measures in Rails
Group_by in Rails
Model association in Rails
Adding columns in Rails
Disable turbolinks in Rails
^, $ in Rails regular expression
Use images in Rails
Understand migration in rails
Split routes.rb in Rails6
Rails CSRF measures and html files under public
Implement markdown in Rails
[Rails] When using ajax, be aware of "CSRF measures".
Get UserAgent in [Rails] controller
Implement application function in Rails
Declarative transaction in Rails #ginzarb
Implement follow function in Rails
Japaneseize using i18n with Rails
Error in rails db: migrate
Gem often used in Rails
Display Flash messages in Rails
View monthly calendar in Rails
Implement import process in Rails
Use multiple checkboxes in Rails6!
Rewrite Routes in Rails Engine
Rails: Capture regular expressions in emails!
[Rails] Keyword search in multiple tables
[Rails] Session timeout setting in devise
Add a search function in Rails.
Enable jQuery and Bootstrap in Rails 6 (Rails 6)
[rails] Login screen implementation in devise
[Rails] Unexpected validation error in devise
About the symbol <%%> in Rails erb
[Rails] Use cookies in API mode
Implement simple login function in Rails
Create a new app in Rails
Ruby on Rails Japanese-English support i18n
[Solution] Webpacker :: Manifest :: MissingEntryError in Rails
Implement a contact form in Rails
Remove "assets" and "turbolinks" in "Rails6".
CRUD features and MVC in Rails
How to introduce jQuery in Rails 6
First pagination feature added in rails
Data is not registered in Rails.
[Rails 6] Customize Bootstrap in Rails + Bootstrap 5.0.0-alpha environment
Implement CSV download function in Rails
Ruby methods often used in Rails
How to install Swiper in Rails
Settings when calling API using CSRF measures of Spring Security in JMeter
Definitions other than 7 basic actions in Rails
[Rails] Function restrictions in devise (login / logout)
How to change app name in rails
How to use custom helpers in rails
I searched for CSRF in Ruby's Gem
How to insert a video in Rails
The identity of params [: id] in rails
Rails refactoring story learned in the field
Ruby on Rails in Visual Studio Codespaces
JavaScript (vanilla) does not respond in Rails.
How to use MySQL in Rails tutorial
Steps to set a favicon in Rails
Specify home view in rails app [root]