Hacker News new | ask | show | jobs
by tonyennis 953 days ago
That hidden CSRF field can be added without form_with though, and Rails still protects against not including it. I left it out of the example as it didn't seem relevant
1 comments
stanislavb 952 days ago
Yes, it can be added, but manually going over all form. Also, how would it protect against a CSRF without the token in place?

Note: I totally agree that we should strive to go HTML first. However, this specific example is a bit unfair.

link