When you generate a default Rails app, it puts this in application.html.erb:
<%= csrf_meta_tags %>
I would like to be able to serve identical HTML content for all users, so the page can be cached on Varnish or a CDN or whatever. Since the form_authenticity_token is different for every session, leaving csrf_meta_tags in the header makes it impossible for a proxy to cache the page.
I have an idea for how to fix it but thought I would ask here, to see if people think there would be problems with it: I could create an after_action in ApplicationController that looks like this:
cookies[:form_authenticity_token] = form_authenticity_token if form_authenticity_token
So basically send the form_authenticity_token to the browser in a cookie instead of putting it in the HTML.
- Does this expose me to any security problems?
- Is there any reason this wouldn’t work?