class Marten::Conf::GlobalSettings::CSRF
- Marten::Conf::GlobalSettings::CSRF
- Reference
- Object
Overview
Defines configuration options related to Cross Site Request Forgery protection.
Defined in:
marten/conf/global_settings/csrf.crInstance Method Summary
-
#cookie_domain : String?
Returns the domain to use when setting the CSRF cookie.
-
#cookie_domain=(cookie_domain : Nil | String)
Allows to set the domain to use when setting the CSRF cookie.
-
#cookie_http_only : Bool
Returns a boolean indicating whether client-side scripts should have access to the CSRF token cookie.
-
#cookie_http_only=(cookie_http_only : Bool)
Allows to set whether client-side scripts should have access to the CSRF token cookie.
-
#cookie_max_age : Int32
Returns the max age (in seconds) of the CSRF cookie.
-
#cookie_max_age=(cookie_max_age : Int32)
Allows to set the max age (in seconds) of the CSRF cookie.
-
#cookie_name : String
Returns the name of the cookie to use for the CSRF token (defaults to
"csrftoken"
). -
#cookie_name=(name : String | Symbol)
Allows to set the name of the cookie to use for the CSRF token.
-
#cookie_same_site : String
Returns the value of the SameSite flag to use for the CSRF cookie (defaults to
"Lax"
). -
#cookie_same_site=(cookie_same_site : String)
Allows to set the value of the SameSite flag to use for the CSRF cookie.
-
#cookie_secure : Bool
Returns a boolean indicating whether to use a secure cookie for the CSRF cookie.
-
#cookie_secure=(cookie_secure : Bool)
Allows to set whether secure cookies should be used for CSRF cookies.
-
#protection_enabled : Bool
Returns a boolean indicating if CSRF protection is enabled globally (defaults to
true
). -
#protection_enabled=(protection_enabled : Bool)
Allows to set whether or not CSRF protection is enabled globally.
-
#session_key : String
Returns the session key to use for the CSRF token (defaults to
"csrftoken"
). -
#session_key=(name : String | Symbol)
Allows to set session key to use for the CSRF token.
-
#trusted_origins : Array(String)
Returns the array of CSRF-trusted origins.
-
#trusted_origins=(origins : Array(String))
Allows to define an array of trusted origins.
-
#use_session : Bool
Returns a boolean indicating if the CSRF token is stored inside the session.
-
#use_session=(use_session : Bool)
Allows to set whether or not the CSRF token should be stored inside the session.
Instance Method Detail
Allows to set the domain to use when setting the CSRF cookie.
Returns a boolean indicating whether client-side scripts should have access to the CSRF token cookie.
Allows to set whether client-side scripts should have access to the CSRF token cookie.
Returns the max age (in seconds) of the CSRF cookie.
By default, CSRF cookie max age is set to 31556952
(approximatively one year).
Allows to set the max age (in seconds) of the CSRF cookie.
Returns the name of the cookie to use for the CSRF token (defaults to "csrftoken"
).
Allows to set the name of the cookie to use for the CSRF token.
Returns the value of the SameSite flag to use for the CSRF cookie (defaults to "Lax"
).
Allows to set the value of the SameSite flag to use for the CSRF cookie.
Returns a boolean indicating whether to use a secure cookie for the CSRF cookie.
Allows to set whether secure cookies should be used for CSRF cookies.
Returns a boolean indicating if CSRF protection is enabled globally (defaults to true
).
Allows to set whether or not CSRF protection is enabled globally.
Returns the session key to use for the CSRF token (defaults to "csrftoken"
).
Allows to define an array of trusted origins.
These origins will be trusted for CSRF-protected requests (such as POST requests) and they will be used to
check either the Origin
or the Referer
header depending on the request scheme. This is done to ensure that
a specific subdomain such as sub1.example.com
cannot issue a POST request to sub2.example.com
. In order to
enable CSRF-protected requests over different origins, it's possible to add trusted origins to this array. For
example https://sub1.example.com
can be configured as a trusted domain that way, but it's possible to allow
CSRF-protected requests for all the subdomains of a specific domain by using https://*.example.com
.
Returns a boolean indicating if the CSRF token is stored inside the session.
Allows to set whether or not the CSRF token should be stored inside the session.