Rails: Can’t verify CSRF token authenticity when making a POST request

Cross site request forgery (CSRF/XSRF) is when a malicious web page tricks users into performing a request that is not intended for example by using bookmarklets, iframes or just by creating a page which is visually similar enough to fool users.

The Rails CSRF protection is made for “classical” web apps – it simply gives a degree of assurance that the request originated from your own web app. A CSRF token works like a secret that only your server knows – Rails generates a random token and stores it in the session. Your forms send the token via a hidden input and Rails verifies that any non GET request includes a token that matches what is stored in the session.

However an API is usually by definition cross site and meant to be used in more than your web app, which means that the whole concept of CSRF does not quite apply.

Instead you should use a token based strategy of authenticating API requests with an API key and secret since you are verifying that the request comes from an approved API client – not from your own app.

You can deactivate CSRF as pointed out by @dcestari:

class ApiController < ActionController::Base
  protect_from_forgery with: :null_session
end

Updated. In Rails 5 you can generate API only applications by using the --api option:

rails new appname --api

They do not include the CSRF middleware and many other components that are superflouus.

Related Posts:

  1. 400 Bad Request – request header or cookie too large
  2. Why Puma listen on ‘tcp://localhost:3000’ instead of ‘http://localhost:3000’
  3. Explain what &quot means
  4. Why does Ruby on Rails use http://0.0.0.0:3000 instead of http://localhost:3000?
  5. ActionController::InvalidAuthenticityToken
  6. bundle install returns “Could not locate Gemfile”
  7. ActionController::InvalidAuthenticityToken
  8. Rails: Why “sudo” command is not recognized?
  9. undefined method `each’ for nil:NilClass… why?
  10. Bundler: You must use Bundler 2 or greater with this lockfile
  11. undefined method `each’ for nil:NilClass… why?
  12. Using Pundit for all-access “super_admin” role
  13. How to tell if homebrew is installed on Mac OS X
  14. What is the difference between Rails.cache.clear and rake tmp:cache:clear?
  15. Unable to install gem – Failed to build gem native extension – cannot load such file — mkmf (LoadError)
  16. Library not loaded: /usr/local/opt/readline/lib/libreadline.7.dylib
  17. Cannot load such file — bcrypt_ext
  18. How do I remove Permission denied @ rb_sysopen – Gem install error?
  19. Can’t find the ‘libpq-fe.h header when trying to install pg gem
  20. warning: constant ::Fixnum is deprecated When generating new model
  21. could not connect to server: No such file or directory (PG::ConnectionBad)
  22. PG::ConnectionBad: fe_sendauth: no password supplied
  23. curl : (1) Protocol https not supported or disabled in libcurl
  24. couldn’t find file ‘jquery’ with type ‘application/javascript’
  25. Passing parameters in rails redirect_to
  26. Getting: “Migrations are pending; run ‘bin/rake db:migrate RAILS_ENV=development’ to resolve this issue.” after cloning and migrating the project
  27. How to find out which rails version an existing rails application is built on?
  28. RubyMine Unit tests – Test Framework quit unexpectedly
  29. bcrypt LoadError: Cannot load such file
  30. Uninitialized constant “Controller Name”
  31. How do I format datetime in rails?
  32. heroku open – no app specified
  33. Difference between rake db:migrate db:reset and db:schema:load
  34. TypeError: no implicit conversion of Symbol into Integer
  35. Sass::SyntaxError: File to import not found or unreadable: bootstrap-sprockets
  36. How to stop (and restart) the Rails Server?
  37. Migrations are pending; run ‘bin/rake db:migrate RAILS_ENV=development’ to resolve this issue
  38. Advanced AREL or just Rails Query for has_many through search by association
  39. AngularJS- Login and Authentication in each route and controller
  40. Rails 5 ActionController::InvalidAuthenticityToken error
  41. what does ? ? mean in ruby
  42. Getting error: Peer authentication failed for user “postgres”, when trying to get pgsql working with rails
  43. Parsing XML with Ruby
  44. Email validation in Ruby on Rails?
  45. extconf failed, exit code 1 error when installing [Ruby on Rails] 5 on OS X Yosemite 10.10.5
  46. Rails 4 RoutingError: No Route Matches
  47. PG::ConnectionBad – could not connect to server: Connection refused
  48. Rails syntax error : unexpected keyword_ensure, expecting end-of-input
  49. Devise lockable – How to unlock account using unlock_in
  50. Ruby: What is the easiest way to remove the first element from an array?
  51. Ruby String to Date Conversion
  52. “Error installing rails” because “extconf.rb failed” on Ubuntu 18.04
  53. An unhandled lowlevel error occurred. The application logs may have details
  54. Uncaught ReferenceError: React is not defined
  55. Rails button_to vs. HTML Button Tag
  56. GROUP BY and COUNT using ActiveRecord
  57. Purge or recreate a Ruby on Rails database
  58. Uploading a file in Rails
  59. Generate model in Rails using user_id:integer vs user:references
  60. An error occurred while installing json (1.8.1), and Bundler cannot continue – Rails
  61. Nginx error: client intended to send too large body
  62. where is devise implementation of “authenticate_user!” method?
  63. What is the difference between “rake db:seed” and rake db:fixtures:load”
  64. How do I parse JSON with Ruby on Rails? [duplicate]
  65. How to force or redirect to SSL in nginx?

Leave a Comment