RailsCSRF (Cross-Site Request Forgery) là tấn công khiến trình duyệt nạn nhân gửi request đến server thay mặt họ.
Rails bảo vệ bằng cách nhúng authenticity token (random string unique per session) vào mọi form. Controller kiểm tra token trước mọi non-GET request:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception # default
endRequest từ site khác không có token → ActionController::InvalidAuthenticityToken (403).
API mode: ActionController::API không include CSRF protection (stateless API dùng JWT/token thay thế, không dùng session cookie).
CSRF (Cross-Site Request Forgery) is an attack that tricks the victim's browser into sending a request to a server on their behalf.
Rails defends by embedding an authenticity token (a random string unique per session) in every form. The controller verifies the token before every non-GET request:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception # default
endRequests from other sites lack the token → ActionController::InvalidAuthenticityToken (403).
API mode: ActionController::API excludes CSRF protection (stateless APIs use JWT/tokens instead of session cookies).