Module: Otto::Security::CSRFValidation

Included in:
CSRFEnforcementWrapper
Defined in:
lib/otto/security/csrf_validation.rb

Overview

Shared CSRF token mechanics.

Both the global +CSRFMiddleware+ (which injects tokens into HTML responses) and the per-route +CSRFEnforcementWrapper+ (which enforces tokens on unsafe requests, honoring +csrf=exempt+) mix this in so the two cannot drift on what counts as a safe method, where a token may be carried, or how a rejection is shaped. The including object must expose a +@config+ (an +Otto::Security::Config+).

Constant Summary collapse

SAFE_METHODS =

HTTP methods that never mutate state and so are exempt from token validation (RFC 7231 safe methods plus TRACE).

%w[GET HEAD OPTIONS TRACE].freeze
CSRF_ERROR_BODY =

Static 403 body. Frozen once so a rejected request does not re-serialize the same JSON on every call.

{
    error: 'CSRF token validation failed',
  message: 'The request could not be authenticated. Please refresh the page and try again.',
}.to_json.freeze