Ruby on Rails protect_from_forgery best practice
Posted
by randombits
on Stack Overflow
See other posts from Stack Overflow
or by randombits
Published on 2010-04-18T01:05:27Z
Indexed on
2010/04/18
1:13 UTC
Read the original article
Hit count: 446
I'm currently working on building a RESTful web api with ruby on rails. I haven't bothered putting a proper authentication scheme into the API yet as I'm ensuring that tests and the basic behavior of the API is working all locally first. Upon testing non-HTTP GET type requests such as HTTP POST/DELETE/PUT, stuff chokes because protect_from_forgery is on by default.
How does this work when I'm working in practice since essentially the idea is in a RESTful API that there is no state. The client does not have a session or a cookie associated with the server. Each request is an atomic, self-executed request. The user will supply some credentials to ensure they are who they say they are, but other than that, does protect_from_forgery make sense at this point? Should it remain enabled?
© Stack Overflow or respective owner