Consider a Rails application with default CSRF protection enabled. What will happen if a form is submitted without including the CSRF token?
Think about what Rails does to protect against forged requests.
Rails raises an ActionController::InvalidAuthenticityToken error when the CSRF token is missing or invalid to prevent cross-site request forgery attacks.
In Rails views, which code snippet correctly ensures the CSRF token is included in the form?
Look for the correct hidden input name and method to get the token.
The hidden input must have the name authenticity_token and the value from form_authenticity_token. The csrf_meta_tags helper adds meta tags, not form inputs. The form_with helper automatically includes the token but the question asks for explicit code snippet.
A developer disables CSRF protection in a Rails controller using skip_before_action :verify_authenticity_token. What is the main security risk introduced?
Think about what CSRF protection prevents.
Disabling CSRF protection allows attackers to perform cross-site request forgery attacks, where they trick authenticated users into submitting malicious requests without their knowledge.
Which statement best describes how Rails verifies the CSRF token on POST, PATCH, PUT, or DELETE requests?
Consider where Rails stores the token and how it compares it.
Rails stores the CSRF token in the user session and compares it with the token submitted in the form or headers to verify authenticity.
session[:_csrf_token] after a valid form submission?Given a Rails app with default CSRF protection, after a user submits a valid form with a correct CSRF token, what happens to session[:_csrf_token]?
Think about token reuse and session persistence.
Rails keeps the CSRF token in the session unchanged across requests to allow multiple valid form submissions without regenerating the token each time.