app/controllers/loose_leaf/application_controller.rb
'protect_from_forgery' should be called in LooseLeaf::ApplicationController Open
Open
class ApplicationController < ActionController::Base- Read upRead up
- Exclude checks
Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user.
This warning is raised when no call to protect_from_forgery is found in ApplicationController. This method prevents CSRF.
For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception. This code is inserted into newly generated applications. The default is to nil out the session object, which has been a source of many CSRF bypasses due to session memoization.
See the Ruby Security Guide for details.