I'm working in a legacy rails application, I'm trying to clean up some CSRF vulnerabilities. In playing around with this I've found that if I open the page (localhost development environment) in question up in the browser, and remove the hidden CSRF field from the form I can still successfully submit the form. The only indication that something is amiss is a warning in the logs: WARNING: Can't verify CSRF token authenticity.
Is this standard behaviour? Normally (at least in Rails 4+) if you try to submit a protected form without the accompanying token ApplicationController will through an error. Should my app be crashing when I remove the CSRF field? Any ideas on why it might not be?
Aucun commentaire:
Enregistrer un commentaire