Turning off authenticity token in Rails 2 for web services?

Question

Instead of just filling out the form in HTML it should also be possible to just send a post request containing the params.. Is it possible to turn off the authenticity token

Answer 1

Wouldn't it be easier to just add the authenticity token to every json request?

Yes, but then the client would have to send a request first just to get the token and then another with the actual POST request, which does not make sense IMHO..

Answer 2

I know there is a way to turn it off for a controller or an action. Not sure about the content type. Wouldn't it be easier to just add the authenticity token to every json request? There are quite few articles around the web how to do it (for example here and here).

Answer 3

The request forgery protection works on the basis of checking the content-type of requests and it only checks the requests that can be made by a browser. No browser is able to generate a request with the content-type set to "application/json" for example. That's why the rails forgery protection routine won't check it. So, if you want to make a json request to your application, set the content-type header to "application/json" and it should work.