Ruby on Rails protect_from_forgery best practice

Posted by randombits on Stack Overflow See other posts from Stack Overflow or by randombits
Published on 2010-04-18T01:05:27Z Indexed on 2010/04/18 1:13 UTC
Read the original article Hit count: 446

Filed under:
|
|

I'm currently working on building a RESTful web api with ruby on rails. I haven't bothered putting a proper authentication scheme into the API yet as I'm ensuring that tests and the basic behavior of the API is working all locally first. Upon testing non-HTTP GET type requests such as HTTP POST/DELETE/PUT, stuff chokes because protect_from_forgery is on by default.

How does this work when I'm working in practice since essentially the idea is in a RESTful API that there is no state. The client does not have a session or a cookie associated with the server. Each request is an atomic, self-executed request. The user will supply some credentials to ensure they are who they say they are, but other than that, does protect_from_forgery make sense at this point? Should it remain enabled?

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about rest