Ever wanted to test your CSRF protection in a Rails app? For example, in a situation when you have a custom “remember me” cookie set and you need to overwrite Rails’
handle_unverified_request to clear it so it does not open a big security hole in your app? I know I did and it took me a while to find out how to do that, so I figured it would be good to write about it.
Here’s how to do it (in Test::Unit, but it’s the same for RSpec):
setup do # Enable CSRF protection in this test ActionController::Base.allow_forgery_protection = true end teardown do # Disable CSRF protection for all other tests ActionController::Base.allow_forgery_protection = false end
Adding the above will make it so that the
authenticity_token is added to each generated
<form> element and will be required to be sent with each non GET request.