Check and report on Sec-Fetch-Site header for forgery protection
This is a great, solid alternative to CSRF tokens for CSRF protection when we aren't worried about older browsers or other kind of actors doing modifying requests in our app, and could be a good test for future upstreaming to Rails (although there we'd need to continue using CSRF tokens or at least letting people opt out manually). Let's start checking the header and reporting on it when CSRF fails or when it doesn't match the other checks Rails does, and then promote this to be the only way to defend from CSRF.
This commit is contained in:
committed by
Rosa Gutierrez
parent
51860d6c66
commit
d88949288c
@@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
|
||||
include Authentication
|
||||
include Authorization
|
||||
include CurrentRequest, CurrentTimezone, SetPlatform
|
||||
include RequestForgeryProtection
|
||||
include TurboFlash, ViewTransitions
|
||||
include Saas
|
||||
include RoutingHeaders
|
||||
|
||||
Reference in New Issue
Block a user