gem install 'rack-protection'
ruby server.rb
There's a page with 2 forms, the one without CSRF token field will get 403 Forbidden response.
The middleware only accepts unsafe HTTP requests (exclude GET
, HEAD
, OPTIONS
, TRACE
) if a given access token matches the token included in the session.
It checks either X-CSRF-Token
header or POST
form data.
To customize the authenticity parameter for form data (default is "authenticity_token"
):
use Rack::Protection::AuthenticityToken, authenticity_param: 'your_param_name'