Extends Rails CSRF protection to play nicely with AngularJS.
Once installed, angular_csrf just works: No need to change or configure neither the AngularJS javascript code nor the Rails application.
CSRF is an exploit that allows malicious websites to do unauthorized actions on a website that trusts the user. The angular_csrf gem extends the CSRF protection in Rails to match the naming convention used in AngularJS for the HTTP header and cookie token names (see Cookie-to-Header Token CSRF protection strategy for more details).
angular_csrf has a very small footprint and has only the rails gem as dependency.
- Add the following line to your
Gemfile:
gem 'angular_csrf'Run the bundle command to install it.
bundle install- Run the angular_csrf generator:
rails generate angular_csrfThe generator will install an initializer initializers/angular_csrf.rb which takes care of extending
the application controllers to handle the expected AngularJS CSRF protection data.
3. You are done! Your app CSRF protection now plays nicely with AngularJS.
AngularJS deals with CSRF protection as follows:
- Reads the CSRF protection token form a cookie, by default
XSRF-TOKEN - Sends back the CSRF token as a http header, by default:
X-XSRF-TOKEN
angular_csrf makes the Rails application or API set the expected cookie token and read and validate the http header sent by AngularJS. angular_csrf installs a Rails initializer that extends the application controllers to perform these tasks.
Licensed under the MIT License.
Copyright Chaker Nakhli.