This attack method send unauthorized request by including malicious code or a link to cheating on web application that user have authenticated.
The world without CSRF token
- Client sign in to a bank service.
bank.com create a user session
- Attacker send a link to user
- Assume user access the link (not knowing that it is a malicious site)
- Browser loads the hacker's site, access the url (
src of image). Although the image cannot loaded but it sent a GET request to
bank.com and user didn't know.
bank.com handles attacker's request using user session
The world with CSRF token
- Rails server generates csrf token for every request and keep it on session (take a look at )
- The config
protect_from_forgery with: :exception will automatically include csrf token in all forms and Ajax requests generated by Rails
- When user send a request to server. It will compare two csrf tokens and raise an error if they are different. So attacker is not able to guest the token to create a valid request. This will prevent CORS attack on POST request. For GET request, you should not allow user create or update data also.