is this secure by default in rails yet? i find it surprising that these techniques are promoted at the same time vulnerabilities are being publicly disclosed:
Is that completely adequate? There was an earlier round of changes due to attackers being able to forge the .xhr header on requests. (This was the patch set at which Rails started checking CSRF tokens on .xhr? requests; before that, they got a free pass.)
nfm|12 years ago
rst|12 years ago
See http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypas...
krapp|12 years ago
I was under the impression that trying to validate that was ultimately as fragile as checking the user-agent string...