Why does rails form working without adding csrf token

Question

I have a simple form

<form accept-charset="UTF-8" action="/users" method="post">
  <label for="username">Username:</label>
  <input type="text" id="username" name="user[username]">
  <br>

  <label for="email">Email:</label>
  <input type="text" id="email" name="user[email]">
  <br>

  <label for="password">Password:</label>
  <input type="password" id="password" name="user[password]">

  <input type="submit" value="Submit">
</form>

And a controller

  def create
    @user = User.new(user_params)

    if @user.save

      redirect_to new_user_path
    else
      render :new, status: :unprocessable_entity
    end
  end


  private

  def user_params
    params.require(:user).permit(:username, :email, :password)
  end

Params which I get

#<ActionController::Parameters {"user"=>{"username"=>"username", "email"=>"email", "password"=>"password"}, "controller"=>"users", "action"=>"create"} permitted: false>

I don't add a csrf token in html form but it work correctly. Why is csrf token is not required?

No I don't. But how i read it doesn't need. https://stackoverflow.com/questions/55860171/protect-from-forgery-in-rails-6 Because it set up by default (I also tried and it doesn't help me) — vladislav, Nov 26 '22 at 16:44
Start up the Rails console and write `ApplicationController.protect_from_forgery` - it should return `[:verify_same_origin_request]` by default in Rails 6/7. — max, Nov 27 '22 at 08:09
My goal it's to create a simple form. And I don't understand why it work without adding token. — vladislav, Nov 27 '22 at 08:32

Why does rails form working without adding csrf token

0 Answers0