Fixed CSRF vulnerability with non-session based authentication

ankane · ankane · commit 14b67b32fed1 · 2020-08-04T12:20:00.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## 2.6.1 (unreleased)
 
+- Fixed CSRF vulnerability with non-session based authentication
 - Added `database`, `user`, and `query_hash` options to `reset_query_stats` method
 
 ## 2.6.0 (2020-07-09)
diff --git a/app/controllers/pg_hero/home_controller.rb b/app/controllers/pg_hero/home_controller.rb
@@ -2,7 +2,7 @@ module PgHero
   class HomeController < ActionController::Base
     layout "pg_hero/application"
 
-    protect_from_forgery
+    protect_from_forgery with: :exception
 
     http_basic_authenticate_with name: PgHero.username, password: PgHero.password if PgHero.password
 
