CSRF means Cross-Site Request Forgery. It is an attack where an attacker will submit a form on our behalf to a different website , causing damage to the website or revealing the sensitive information from the website.On a request the browser automatically includes cookies for a domain , if we are currently logged in to the target site , the request from the attacker will appear to come from us as a logged-in user.(as we sent the session cookie with the POST request)
How Rails help us to protect against it?
Rails helps us to protect against CSRF attack by making us add protect_from_forgery in our ApplicationController. It will then require CSRF token to be present before accepting any Post , Put or Delete request. Rails form builder automatically include CSRF token as a hidden field in every form. CSRF token is also included as a header in the GET requests so that non-form based mechanisms can use it for sending a POST request. Attackers are unable to steal the CSRF token from the browsers because of the "same origin" policy of the browsers.