Turning off authenticity token in Rails 2 for web services?

Question

它不仅可以在HTML中填写表单，还可以发送包含参数的发布请求。例如，如果将Accept标志设置为'application / JSON'，是否可以关闭真实性标记在HTTP标头？

Answer 1

The request forgery protection works on the basis of checking the content-type of requests and it only checks the requests that can be made by a browser. No browser is able to generate a request with the content-type set to "application/json" for example. That's why the rails forgery protection routine won't check it. So, if you want to make a json request to your application, set the content-type header to "application/json" and it should work.

Answer 2

I know there is a way to turn it off for a controller or an action. Not sure about the content type. Wouldn't it be easier to just add the authenticity token to every json request? There are quite few articles around the web how to do it (for example here and here ).

Answer 3

Wouldn't it be easier to just add the authenticity token to every json request?

Yes, but then the client would have to send a request first just to get the token and then another with the actual POST request, which does not make sense IMHO..