A long-lived project that still receives updates
AngularJS style CSRF protection for Rails
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

>= 3, < 9
 Project Readme

AngularJS-style CSRF Protection for Rails

Gem CI Downloads total

The AngularJS ng.$http service has built-in CSRF protection. By default, it looks for a cookie named XSRF-TOKEN and, if found, writes its value into an X-XSRF-TOKEN header, which the server compares with the CSRF token saved in the user's session.

This project adds direct support for this scheme to your Rails application without requiring any changes to your AngularJS application. It also doesn't require the use of csrf_meta_tags to write a CSRF token into your page markup, so it works for pure JSON API applications.

Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.

Check version compatibility to learn which Rails/Rubies are currently supported.

Installation

Add this line to your application's Gemfile:

gem 'angular_rails_csrf'

And then execute:

$ bundle

That's it!

Configuration

Cookie Name

The default cookie's name is XSRF-TOKEN but it can be configured with the angular_rails_csrf_cookie_name setting:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_cookie_name = 'CUSTOM_NAME'
end

Cookie Domain

Starting from version 3, you may set domain for the XSRF cookie:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_domain = :all
end

If angular_rails_csrf_domain is not set, it defaults to nil.

Secure Cookie

To set a "secure" flag for the cookie, set the angular_rails_csrf_secure option to true:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_secure = true
end

angular_rails_csrf_secure defaults to false.

SameSite

The SameSite attribute defaults to :lax. You can override this in the config:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_same_site = :strict
end

NOTE: When using config.angular_rails_csrf_same_site = :none, this gem automatically sets the cookie to Secure (config.angular_rails_csrf_secure = true) to comply with the specifications.

Please note that Safari is known to have issues with SameSite attribute set to :none.

HttpOnly Cookie

To set the "httponly" flag for your cookie, set the angular_rails_csrf_httponly option to true:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_httponly = true
end

angular_rails_csrf_httponly defaults to false.

Exclusions

Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed here):

class ExclusionsController < ApplicationController
  exclude_xsrf_token_cookie

  # your actions here...
end

Testing

Run

$ bundle install

and then

$ rake test

License

Licensed under the MIT License.