Fixed CSRF vulnerability with non-session based authentication

ankane · Aug 4, 2020 · 14b67b3 · 14b67b3
1 parent 8f190fa
commit 14b67b3
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## 2.6.1 (unreleased)
 
+- Fixed CSRF vulnerability with non-session based authentication
 - Added `database`, `user`, and `query_hash` options to `reset_query_stats` method
 
 ## 2.6.0 (2020-07-09)

diff --git a/app/controllers/pg_hero/home_controller.rb b/app/controllers/pg_hero/home_controller.rb
@@ -2,7 +2,7 @@ module PgHero
   class HomeController < ActionController::Base
     layout "pg_hero/application"
 
-    protect_from_forgery
+    protect_from_forgery with: :exception
 
     http_basic_authenticate_with name: PgHero.username, password: PgHero.password if PgHero.password