Want more GoRails?

GoRails is packed full with 697 lessons just like this one.

Sign up to get full access or log in to your account and sit back.

How Cross-Site Request Forgery (CSRF) Works in Ruby on Rails

February 8, 2022

Track your progress

Sign in to track your progress and access subscription-only lessons.

Log In

Your Teacher

Hi, I'm Chris. I'm the creator of GoRails, Hatchbox.io and Jumpstart. I spend my time creating tutorials and tools to help Ruby on Rails developers build apps better and faster.

About This Episode

Ever gotten an InvalidAuthentictyToken error in Rails and wondered how CSRF works? In this lesson, we'll learn how it works behind the scenes so you can understand exactly what's going on.



Add this code to your ApplicationController to see how Rails compares the CSRF tokens you sent to the CSRF token in your application.

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception

  before_action do
    p "👋"
    p "real #{real_csrf_token(session)}"
    p "global #{global_csrf_token(session)}"

    request_authenticity_tokens.each do |token|
      next if token.nil?

      decoded_token = decode_csrf_token(token)
      if decoded_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
        p unmask_token(decoded_token)
        p decoded_token

Additional Reading:

Want to stay up-to-date with Ruby on Rails?

Join 83,603+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.