Ensure forgery protection is enabled

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: ruby-security/rails-csrf

Language: Ruby

Severity: Warning

Category: Security

CWE: 352

Description

The rule “Ensure forgery protection is enabled” is a crucial security practice in Ruby development, specifically when designing Rails applications. Cross-Site Request Forgery (CSRF) is a type of attack that tricks the victim into submitting a malicious request. It uses the identity and privileges of the victim to perform an undesired function on their behalf.

To mitigate this type of attack, it is essential to enable forgery protection in your application. In Rails, this is done by adding the protect_from_forgery method in your ApplicationController. This method generates a unique token for every session, and Rails automatically includes this token in all forms and Ajax requests generated by the framework.

If the protect_from_forgery method is not present in your ApplicationController, your application is vulnerable to CSRF attacks. Always ensure that this method is included and properly configured to prevent such security risks.

Learn More

Non-Compliant Code Examples

class VulnerableController < ActionController::Base
  def index
  end
end

Compliant Code Examples

class ApplicationController < ActionController::Base
  protect_from_forgery :with => :exception

  def index
  end
end

class ApplicationController < ActionController::Base
  protect_from_forgery

  def index
  end
end
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: may/unit-testing