Pakyow provides the following environment config options for cross-site request forgery:

• security.csrf.origin_whitelist: Requests from this list of origins are always allowed. Default: []

• security.csrf.allow_empty_referrer: If true, requests without a referrer header are allowed. Default: true

• security.csrf.param: Name of the request param that contains the authenticity token. Default: :authenticity_token

Security config lives in config/application.rb:

Pakyow.app do
  configure do
    config.security.option = :value
  end
end