---
title: Use CSRF Protection
impact: HIGH
impactDescription: prevents Cross-Site Request Forgery (CSRF) attacks
tags: security, csrf, vulnerability, rails
---

## Use CSRF Protection

Ensure CSRF protection is enabled for all state-changing requests (POST, PUT, PATCH, DELETE). Rails provides this by default via `protect_from_forgery`.

**Incorrect (disabled CSRF):**

```ruby
class ApplicationController < ActionController::Base
  # skip_before_action :verify_authenticity_token
end
```

**Correct (enabled CSRF):**

```ruby
class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

# In layouts:
# <%= csrf_meta_tags %>
```

**Tools:** Brakeman, Rails default
---