I am running a Rails 4 app in semi-production and I constantly get
exceptions from crawler bots that use a HEAD HTTP method, which causes
the
CSRF protection to kick in.
Shouldn’t HEAD requests normally be handled like GET requests?
I am not sure if I’m just being stupid or that hit is a bug somewhere.
I am running a Rails 4 app in semi-production and I constantly get
exceptions from crawler bots that use a HEAD HTTP method, which causes
the
CSRF protection to kick in.
Shouldn’t HEAD requests normally be handled like GET requests?
According to the Rails Guide it seems apparent that only GET request are
assumed to be safe.
3.1 CSRF Countermeasures
— First, as is required by the W3C, use GET and POST appropriately.
Secondly, a security token in non-GET requests will protect your
application from CSRF.
This document may be oversimplified, but judging by your question I’d
say it works pretty much as described.
3.1 CSRF Countermeasures
First, as is required by the W3C, use GET and POST appropriately.
Secondly, a security token in non-GET requests will protect your
application from CSRF.
This document may be oversimplified, but judging by your question I’d
say it works pretty much as described.
HEAD requests should not be CSRF protected, sounds like a bug needs to
be filed to me.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.