module Roda::RodaPlugins::Csrf

  1. lib/roda/plugins/csrf.rb

This plugin is no longer recommended for use, it exists only for backwards compatibility. Consider using the route_csrf plugin instead, as that provides stronger CSRF protection.

The csrf plugin adds CSRF protection using rack_csrf, along with some csrf helper methods to use in your views. To use it, load the plugin, with the options hash passed to Rack::Csrf:

plugin :csrf, raise: true

Optionally you can choose not to setup rack_csrf middleware on the roda app if you already have one configured:

plugin :csrf, skip_middleware: true

This adds the following instance methods:


The field name to use for the hidden/meta csrf tag.


The http header name to use for submitting csrf token via headers (useful for javascript).


An html meta tag string containing the token, suitable for placing in the page header


An html hidden input tag string containing the token, suitable for placing in an html form.


The value of the csrf token, in case it needs to be accessed directly.


Public Class

  1. configure


CSRF = ::Rack::Csrf  

Public Class methods

configure(app, opts={})

Load the Rack::Csrf middleware into the app with the given options.

[show source]
   # File lib/roda/plugins/csrf.rb
37 def self.configure(app, opts={})
38   return if opts[:skip_middleware]
39   app.instance_exec do
40     @middleware.each do |(mid, *rest), _|
41       if mid.equal?(CSRF)
42         rest[0].merge!(opts)
43         build_rack_app
44         return
45       end
46     end
47     use CSRF, opts
48   end
49 end