Lack of Rails anti-CSRF defaults when Controller is inherited from ActionController::Base

# Description of Issue
The default configuration for Rails’ `ActionController::Base` does not automatically include the anti-CSRF mechanism, `protect_from_forgery`. This leaves affected many Rails applications vulnerable to CSRF.

The issue has been mentioned in a [Pull Request in Rails](https://github.com/rails/rails/pull/27362). Subsequently, a [blog post](https://www.sourceclear.com/blog/Over-50000-Ruby-developers-impacted-by-CSRF-attacks/) was published to explore the extent of the impact. More technical information about the issue can be viewed [here](https://www.sourceclear.com/registry/vulnerabilities/3173).

# Fix
A reasonable fix has been mentioned both in the [Pull Request made in Rails](https://github.com/rails/rails/pull/27362), as well as in this [blog post](https://www.sourceclear.com/blog/Rails-GEMS-Vulnerable-to-CSRF-Show-Vulnerability-Disclosure-in-Open-Source-Projects-Needs-a-Re-Think/).

An example fix for most Rails Application would be as follows:
```diff
class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+
```

And for Rails Applications which are APIs:
```diff
class ApplicationController < ActionController::Base
+    protect_from_forgery with: :null_session
+
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Lack of Rails anti-CSRF defaults when Controller is inherited from ActionController::Base #12

Description of Issue

Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Lack of Rails anti-CSRF defaults when Controller is inherited from ActionController::Base #12

Description

Description of Issue

Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions