I have a question which i can't seem to figure out from all the googling. I am building a rails app basically an api app. When i give out post request it returns me with an error 'InvalidAuthenticityToken' so i used
skip_before_action :verify_authenticity_token
And after some googling i came to know that it is not recommended to skip this because our app will be vulnerable to CSRF attacks. I am also using doorkeeper gem for my authentication. My question is that even if i have the doorkeeper gem for authentication will my app be still vulnerable to attacks ?
I have also placed this code in my application controller and removed the above code
protect_from_forgery with: :null_session
Is this safe or can someone say how to properly implement this ?
It's good to have CSRF attack protection in your app. In api you can add this token to header and pass it between frontend and backend. I used this guide from pragmatic studio to set it up in my application:
https://pragmaticstudio.com/tutorials/rails-session-cookies-for-api-authentication
However, I have no idea how will it work with doorkeeper (haven't used it).