Rails only protects you against CSRFs if you use GET
and POST
correctly.
This middleware helps you identify when a GET
request results in an
application state-change.
rack-csrf-detector
monkey-patches ActiveRecord
to identify GET
requests
that cause a database commit
. A CRSF-WARNING
header is added to responses
when this is detected. An accompanying chrome extension is available to alert
when the header is present.
Add the following to your Gemfile
gem 'rack-csrf-detector', :require => 'rack/csrf_detector'
And include the middleware in your development.rb
config.middleware.use "Rack::CsrfDetector" do
use Rack::CsrfDetector::ActiveRecordInstrument
use Rack::CsrfDetector::SidekiqInstrument
end
Note: Do not run this in production.
You can also install the chrome extension:
More Tools | Extensions | Developer mode | Load Unpacked extension...
And select the chrome-extension
folder in this repo.