Michiel Sikkes
2013-Jan-22 19:38 UTC
Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
I am running a Rails 4 app in semi-production and I constantly get exceptions from crawler bots that use a HEAD HTTP method, which causes the CSRF protection to kick in. Shouldn''t HEAD requests normally be handled like GET requests? I am not sure if I''m just being stupid or that hit is a bug somewhere. Michiel -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/CBalCFmpl9kJ. For more options, visit https://groups.google.com/groups/opt_out.
Robert Walker
2013-Jan-23 19:23 UTC
Re: Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
Michiel Sikkes wrote in post #1093276:> I am running a Rails 4 app in semi-production and I constantly get > exceptions from crawler bots that use a HEAD HTTP method, which causes > the > CSRF protection to kick in. > > Shouldn''t HEAD requests normally be handled like GET requests?According to the Rails Guide it seems apparent that only GET request are assumed to be safe. http://guides.rubyonrails.org/security.html#csrf-countermeasures --------------------------- 3.1 CSRF Countermeasures — First, as is required by the W3C, use GET and POST appropriately. Secondly, a security token in non-GET requests will protect your application from CSRF. --------------------------- This document may be oversimplified, but judging by your question I''d say it works pretty much as described. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Jordon Bedwell
2013-Jan-23 19:27 UTC
Re: Re: Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
On Wed, Jan 23, 2013 at 1:23 PM, Robert Walker <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Michiel Sikkes wrote in post #1093276: >> I am running a Rails 4 app in semi-production and I constantly get >> exceptions from crawler bots that use a HEAD HTTP method, which causes >> the >> CSRF protection to kick in. >> >> Shouldn''t HEAD requests normally be handled like GET requests? > > According to the Rails Guide it seems apparent that only GET request are > assumed to be safe. > > http://guides.rubyonrails.org/security.html#csrf-countermeasures > --------------------------- > 3.1 CSRF Countermeasures > — First, as is required by the W3C, use GET and POST appropriately. > Secondly, a security token in non-GET requests will protect your > application from CSRF. > --------------------------- > > This document may be oversimplified, but judging by your question I''d > say it works pretty much as described.HEAD requests should not be CSRF protected, sounds like a bug needs to be filed to me. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Maybe Matching Threads
- rspec-rails how to selectively turn on csrf protection for controller specs?
- Auto complete plugin and CSRF protection-- do you care?
- Security problems with CookieStore and CSRF protection
- CSRF Protection Bypass in Ruby on Rails - I don't get it ...
- acts_as_versioned