Module: Otto::Security::CSRFValidation
- Included in:
- CSRFEnforcementWrapper
- Defined in:
- lib/otto/security/csrf_validation.rb
Overview
Shared CSRF token mechanics.
Both the global +CSRFMiddleware+ (which injects tokens into HTML responses) and the per-route +CSRFEnforcementWrapper+ (which enforces tokens on unsafe requests, honoring +csrf=exempt+) mix this in so the two cannot drift on what counts as a safe method, where a token may be carried, or how a rejection is shaped. The including object must expose a +@config+ (an +Otto::Security::Config+).
Constant Summary collapse
- SAFE_METHODS =
HTTP methods that never mutate state and so are exempt from token validation (RFC 7231 safe methods plus TRACE).
%w[GET HEAD OPTIONS TRACE].freeze
- CSRF_ERROR_BODY =
Static 403 body. Frozen once so a rejected request does not re-serialize the same JSON on every call.
{ error: 'CSRF token validation failed', message: 'The request could not be authenticated. Please refresh the page and try again.', }.to_json.freeze