bodrovisbodrovis
181

Angular_rails_csrf

screenshot of Angular_rails_csrf

Rails integration for AngularJS style CSRF protection

Github

Overview

The AngularJS-style CSRF Protection for Rails Gem is a vital tool for developers looking to secure their Rails applications, especially those utilizing cookie-based session authentication. With over 10 million downloads since its inception in 2013, it has proven its effectiveness in simplifying CSRF protection for applications that serve front-end content directly through Rails. Though the gem is transitioning into passive maintenance mode starting June 2025, its existing functionalities make it an essential addition for those maintaining Rails monoliths that require token-based CSRF validation.

This gem aligns seamlessly with AngularJS applications, leveraging the built-in CSRF protection of the ng.$http service. By implementing a straightforward cookie-based approach, it eliminates additional configurations needed for AngularJS applications and accommodates pure JSON API setups, ensuring a smooth integration for developers.

Features

  • Easy Integration: Directly supports the XSRF-TOKEN scheme for seamless CSRF protection in Rails applications without modifying existing AngularJS setups.

  • Configurable Cookie Name: Allows customization of the cookie name through the angular_rails_csrf_cookie_name setting to fit specific project needs.

  • Domain Configuration: From version 3 onwards, you can set the domain for the XSRF cookie, providing enhanced control over cookie handling.

  • Secure Cookies: Supports a "secure" flag for cookies by enabling the angular_rails_csrf_secure option, enhancing security for sensitive transactions.

  • SameSite Attribute Customization: Defaults to :lax, with the option to override, catering to various application requirements while adhering to modern security standards.

  • HttpOnly Flag Support: Can be set to make the cookie HttpOnly, preventing client-side scripts from accessing sensitive information.

  • Controller Exclusions: Offers the flexibility to bypass XSRF token settings for specific controllers, beneficial for streaming services or WebSocket connections.

  • MIT Licensed: Provides a permissive license, encouraging widespread use and modification in both personal and commercial projects.