Turn off CSRF token in rails 3

107
votes

I have a rails app that serves some APIs to an iPhone application. I want to be able to simply post on a resource without minding on get the correct CSRF token. I tried some methods that I see here in stackoverflow but it seems they no longer work on rails 3.

Thank you for helping me.

3
ruby-on-rails-3csrf

3 Answers

184
votes

In the controller where you want to disable CSRF the check:

skip_before_action :verify_authenticity_token

Or to disable it for everything except a few methods:

skip_before_action :verify_authenticity_token, :except => [:update, :create]

Or to disable only specified methods:

skip_before_action :verify_authenticity_token, :only => [:custom_auth, :update]

More info: RoR Request Forgery Protection

107
votes

In Rails3 you can disable the csrf token in your controller for particular methods:

protect_from_forgery :except => :create
33
votes

With Rails 4, you now have the option to write in skip_before_action instead of skip_before_filter.

# Works in Rails 4 and 5
skip_before_action :verify_authenticity_token

or 

# Works in Rails 3 and 4 (deprecated in Rails 4 and removed in Rails 5)
skip_before_filter :verify_authenticity_token