Categories
csrf jquery ruby-on-rails

WARNING: Can’t verify CSRF token authenticity rails

253

I am sending data from view to controller with AJAXand I got this error:

WARNING: Can’t verify CSRF token authenticity

I think I have to send this token with data.

Does anyone know how can I do this ?

Edit: My solution

I did this by putting the following code inside the AJAX post:

headers: {
  'X-Transaction': 'POST Example',
  'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
},

7

  • 7

    do you have <%= csrf_meta_tag %> in your layout header?

    – Anatoly

    Aug 26, 2011 at 10:34

  • yes like this : <%= csrf_meta_tags %>

    Aug 26, 2011 at 10:41

  • 6

    do you have jquery-rails libraries that provide ajax client-side functionality?

    – Anatoly

    Aug 26, 2011 at 10:43

  • 2

    And the HAML way is to add “= csrf_meta_tags”

    Jul 26, 2012 at 9:33


  • nice question, thanks for asking

    – AMIC MING

    Dec 8, 2015 at 2:46

397

You should do this:

  1. Make sure that you have <%= csrf_meta_tag %> in your layout

  2. Add beforeSend to all the ajax request to set the header like below:


$.ajax({ url: 'YOUR URL HERE',
  type: 'POST',
  beforeSend: function(xhr) {xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').attr('content'))},
  data: 'someData=" + someData,
  success: function(response) {
    $("#someDiv').html(response);
  }
});

To send token in all requests you can use:

$.ajaxSetup({
  headers: {
    'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
  }
});

8

  • 5

    Thanks! Worked for me like a charm!

    Jul 9, 2012 at 13:18

  • 37

    The jQuery UJS library provided by the Rails team adds the CSRF token to jQuery AJAX request automatically. The README contains instructions on how to get setup. github.com/rails/jquery-ujs/blob/master/src/rails.js#L91

    Sep 2, 2012 at 10:53

  • 1

    Note that you can set the header for all requests at once with the $.ajaxSetup function.

    Feb 24, 2013 at 12:50

  • 1

    Excellent! Been searching for a while for this answer. Works seamlessly. Thanks!

    – cassi.lup

    Apr 30, 2013 at 19:27


  • 4

    As a note, if you are using jQuery UJS as suggested above, you need to ensure that the rails-ujs include comes after the jquery include or it will fail with the same error as the op.

    Sep 12, 2017 at 16:43

31

The best way to do this is actually just use <%= form_authenticity_token.to_s %> to print out the token directly in your rails code. You dont need to use javascript to search the dom for the csrf token as other posts mention. just add the headers option as below;

$.ajax({
  type: 'post',
  data: $(this).sortable('serialize'),
  headers: {
    'X-CSRF-Token': '<%= form_authenticity_token.to_s %>'
  },
  complete: function(request){},
  url: "<%= sort_widget_images_path(@widget) %>"
})

4

  • 7

    Instead of doing this for each ajax command, you could add headers to $.ajaxSetup().

    Nov 29, 2011 at 1:29


  • 1

    I’d rather recommend using this answer

    – opsidao

    Jul 23, 2012 at 11:11


  • 17

    I don’t really like the approach of using ERB in the javascript.

    Jul 27, 2012 at 21:39

  • This forces you to generate your javascript with ERB, which is very limiting. Even if there are places where ERB might be a good fit, there are others where it’s not, and adding it just to get the token would be a waste.

    – sockmonk

    Apr 3, 2014 at 23:36

22

If I remember correctly, you have to add the following code to your form, to get rid of this problem:

<%= token_tag(nil) %>

Don’t forget the parameter.

1

  • 8

    Actually, this should be: <%= token_tag(nil) %>. Then you get the auto-generated token.

    – szeryf

    May 16, 2012 at 19:54