Skip to content

Instantly share code, notes, and snippets.

View chans-me's full-sized avatar
🛠️
Automate boring stuff

chans chans-me

🛠️
Automate boring stuff
0 followers · 1 following
View GitHub Profile
@chans-me
chans-me / what_is_csrf_token.md
Created February 24, 2022 11:33
What is CSRF Tokens and How does it works in Rails?

CSRF stands for Cross-site request forgery. It is a technique hackers use to hack into a web application.

Cross-Site Request Forgery (CSRF) in simple words

  • Assume you are currently logged into your online banking at www.mybank.com
  • Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.)
  • You visit www.cute-cat-pictures.org, not knowing that it is a malicious site.
  • If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into mybank.com (requires some luck!), they could include on their page a request like http://www.mybank.com/transfer?to=123456;amount=10000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).
  • You retrieved that `ww