Ever wanted to test your CSRF protection in a Rails app? For example, in a situation when you have a custom “remember me” cookie set and you need to overwrite Rails’ handle_unverified_request to clear it so it does not open a big security hole in your app? I know I did and it took me a while to find out how to do that, so I figured it would be good to write about it.
Here’s how to do it (in Test::Unit, but it’s the same for RSpec):
setup do
# Enable CSRF protection in this test
ActionController::Base.allow_forgery_protection = true
end
teardown do
# Disable CSRF protection for all other tests
ActionController::Base.allow_forgery_protection = false
endAdding the above will make it so that the authenticity_token is added to each generated <form> element and will be required to be sent with each non GET request.
Sweet, thanks!