protect_from_forgery, with: :null_session

[Jay Wengrow]

Hi!

The current README states regarding converting a standard app into a rails-api app:
"And comment out the protect_from_forgery call if you are using it."

However, Rails seems to recommend the following, per the comment in the application controller (at least in Rails 4):

"Prevent CSRF attacks by raising an exception.
  For APIs, you may want to use :null_session instead."

I don't follow exactly why they are recommending null_session - is it because they're assuming your app isn't solely an API?

In any case, it would be great if this can be addressed in the README because otherwise it will be confusing as how to proceed, as the Rails comments contradict the advice given here.

Thanks!

[Michael Kaiser-Nyman]

> I don't follow exactly why they are recommending null_session - is it because they're assuming your app isn't solely an API? 

I think that's exactly right. Rails::API's README is assuming that you are building a pure API and that you will never use cookies for auth. Rails' recommendation is based on the assumption your app will support a mix of cookies and token auth.

[Jay Wengrow]

Gotcha, thanks!

--
You received this message because you are subscribed to a topic in the Google Groups "rails-api-core" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rails-api-core/TN7K8fN4Y4g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rails-api-cor...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.