I understand that rails add CSRF tokens to the forms created with its custom functions like form_with etc. BUT does it also generate CSRF tokens (a.k.a authenticity_token in rails terms) for general HTML
I am seeing mixed answers for this. Anyone with hands-on experience on Rails help me here?
I figured I should make this into a full fledged answer.
No, manually creating a <form></form> in Rails will not automatically insert the authenticity token. The token is only inserted when using a Rails form helper. These helpers allow you to specify the fields for a form without specifying the authenticity token; it will put the token field into the form automatically. For example:
<%= form_for @person do |f| %>
<%= f.label :first_name %>:
<%= f.text_field :first_name %><br />
<%= f.label :last_name %>:
<%= f.text_field :last_name %><br />
<%= f.submit %>
<% end %>
Generates the following HTML with the hidden authenticity_token field:
<form action="/people" class="new_person" id="new_person" method="post">
<input name="authenticity_token" type="hidden" value="NrOp5bsjoLRuK8IW5+dQEYjKGUJDe7TQoZVvq95Wteg=" />
<label for="person_first_name">First name</label>:
<input id="person_first_name" name="person[first_name]" type="text" /><br />
<label for="person_last_name">Last name</label>:
<input id="person_last_name" name="person[last_name]" type="text" /><br />
<input name="commit" type="submit" value="Create Person" />
</form>
But if you manually generate the HTML, for example using HAML:
%html
%head
%body
%form
The generated HTML looks like:
<html>
<head></head>
<body>
<form></form>
</body>
</html>
...without any authenticity_token field.
In the article you linked to, it says "A typical form generated in Rails..." meaning generated using a Rails form helper. Manually created forms are not "generated" in the sense used in this context.