Skip to content

Add CSRF token validation to API endpoints #686

Open
Open
Add CSRF token validation to API endpoints#686
@aaronlippold

Description

@aaronlippold
aaronlippold
opened on Aug 16, 2025

Description

While Rails provides CSRF protection by default for web requests, we should explicitly verify and document CSRF token handling for API endpoints.

Current Implementation

  • Rails default CSRF protection enabled for web requests
  • API endpoints may bypass CSRF for token-based auth
  • Not explicitly visible in ApplicationController

Proposed Changes

  1. Add explicit protect_from_forgery with: :exception to ApplicationController
  2. Document CSRF token handling for API endpoints
  3. Add tests to verify CSRF protection is active

Acceptance Criteria

  • CSRF protection explicitly declared in ApplicationController
  • API authentication strategy documented
  • Tests verify CSRF tokens are validated
  • No breaking changes to existing API integrations

References

  • Rails Security Guide on CSRF
  • NIST SP 800-53 SC-23

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions