Testing CSRF protection in Rails

Ever wanted to test your CSRF protection in a Rails app? For example, in a situation when you have a custom “remember me” cookie set and you need to overwrite Rails’ handle_unverified_request to clear it so it does not open a big security hole in your app? I know I did and it took me a while to find out how to do that, so I figured it would be good to write about it.

Here’s how to do it (in Test::Unit, but it’s the same for RSpec):

setup do
  # Enable CSRF protection in this test
  ActionController::Base.allow_forgery_protection = true
end                                                                

teardown do
  # Disable CSRF protection for all other tests
  ActionController::Base.allow_forgery_protection = false
end

Adding the above will make it so that the authenticity_token is added to each generated <form> element and will be required to be sent with each non GET request.

One Response to “Testing CSRF protection in Rails”

  1. Jason Heiss says:

    Sweet, thanks!