This is the second post of our Rails security series. After we talked about Sessions, now we focus on another important security issue you should be aware, Cross-site Request Forgery (CSRF). This attack method works by including malicious code in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands. To prevent CSRF, one thing you want to do is to expire your session. In this context, expiring sessions on the server side is safer because the client can edit cookies that are stored in the web browser. To protect your application from CSRF you must pay attention on how you use GET and POST request

1. Use additional HTTP verbs, such as PUT or DELETE if your web application is RESTful
2. Use verify method in controllers to make sure that specific actions may not be used over GET e.g. POST must be use to create a blog post.

   verify :method => :post, :only => [:create]
   

3. Include a security token in non-GET request by enable the protect_from_forgery. For Rails 3, use csrf_meta_tag helper

Got another tip / trick on CSRF? Share with us!