What is CSRF?
 

Cross-Site Request Forgery (CSRF)  :- is an attack vector where a malicious website tricks a user's browser into performing unwanted actions on a trusted site where the user is authenticated. For example, if a user is logged into their bank account, a CSRF attack might attempt to transfer funds without the user's knowledge by leveraging the user's active session.
 

Key points about CSRF :-
 

• Exploits Trust :-  The attack relies on the trust that the target site has in the user's browser.
• User’s Credentials :-  It uses the user's authentication cookies automatically, making it hard to distinguish between a legitimate request and a forged one.
• Silent Execution :-  The malicious action happens without the user's explicit consent, often leaving little evidence of wrongdoing.

How Rails Protects Against CSRF
 

Rails takes CSRF protection seriously and provides built-in mechanisms to help developers secure their applications. Here’s how Rails addresses CSRF:
 

1. Authenticity Tokens
 

At the heart of Rails’ CSRF defense is the authenticity token. This token is a unique, unpredictable value generated by Rails and included in every form generated by Rails’ helper methods (like form_for, form_with, etc.). When a form is submitted, Rails compares the token included in the form with the token stored in the user’s session.
 

• Token Generation :- Every session gets its unique token.
• Token Embedding :- Rails automatically embeds the token in forms and AJAX requests.
• Token Verification :- On form submission, the token is verified. If the token is missing or does not match, Rails rejects the request, preventing potential CSRF attacks.
   

2. Exception Handling
 

When Rails detects an invalid or missing authenticity token, it raises an ActionController::InvalidAuthenticityToken exception. This behavior helps developers identify potential attacks and take appropriate action, such as logging the incident or redirecting the user.
 

3. Secure Defaults
 

Rails opts for secure defaults by enabling CSRF protection in newly generated applications. In your ApplicationController, you’ll typically see this line.
 

class ApplicationController < ActionController::Base 
protect_from_forgery with: :exception 
end

The protect_from_forgery method tells Rails to check for the authenticity token and raise an exception if verification fails.
 

Best Practices for CSRF Protection in Rails
 

While Rails automates much of the CSRF protection process, here are some best practices to ensure your application remains secure:
 

1. Always Use Rails Form Helpers
 

Using Rails form helpers (such as form_with, form_for, etc.) automatically includes the CSRF token. Avoid manually crafting forms unless absolutely necessary, and if you do, be sure to include the token manually.
 

<%= form_tag '/your_action' do %>
  <%= hidden_field_tag :authenticity_token, form_authenticity_token %>
  <!-- your form fields here -->
<% end %>

2. Secure AJAX Requests
 

When making AJAX requests with libraries like jQuery or Axios, ensure the CSRF token is sent along with the request headers. Rails provides a meta tag in the layout to make this easier:
 

<meta name="csrf-token" content="<%= csrf_meta_tags %>">

$.ajaxSetup({ 
headers: { 
'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content') 
} 
});

class Api::V1::SomeController < ApplicationController 
 skip_before_action :verify_authenticity_token
 # API actions here 
end

swaz_ahmed

I am swaz_ahmed blogger on shadbox. I am influencer,content writer,author and publisher. Feel free to ask me any question and suggestions.