I was reading thru the security guide and working on some basic ajax… I thought it might be worth a mention in the guide that we don’t need to set the X-CSRF-Token header when we create an ajax call. It is mentioned, but not very clear. I had to dig into rails to find what actually happens.
I have created a branch with the following text, added after line 242 in guides/source/security.md
If you are using ‘jquery-rails’ then your ajax calls will automatically include a ‘X-CSRF-Token’ HTTP header. The value of this header will match the ‘csrf-token’ meta tag in your document head. Rails will reject any incoming ajax call, if the token is missing or incorrect. Malicious ajax which executes in the context of a different document will not have access to the csrf-token meta tag.
If this seems like a good addition, I am happy to submit it as a pull request to rails.git