X-XSRF-TOKEN request header should be X-CSRF-TOKEN instead in the documentation

[youyoumu]

docs: https://inertia-rails.dev/guide/csrf-protection
reference: https://guides.rubyonrails.org/security.html#csrf-countermeasures

here is the video showing X-XSRF-TOKEN doesn't work but X-CSRF-TOKEN does

Screencast.From.2024-11-30.17-43-11.mp4

note: this is my first issue on open source project, can i get assigned to this? 👀

[skryukov]

Hey @youyoumu, thanks for the issue! I'm happy that inertia-rails became your first OSS repo to contribute an issue to! 😄

It's a bit tricky, but Inertia Rails supports X-XSRF-TOKEN for Inertia requests:

inertia-rails/lib/inertia_rails/middleware.rb

Lines 93 to 95 in 234aaab

	def copy_xsrf_to_csrf!
	@env['HTTP_X_CSRF_TOKEN'] = @env['HTTP_X_XSRF_TOKEN'] if @env['HTTP_X_XSRF_TOKEN'] && inertia_request?
	end

So the example from your reproduction will work once you add the X-Inertia header.

[youyoumu]

i see. what if we add additional note?

Note

X-XSRF-TOKEN header only works for Inertia requests. If you want to send a normal request you can use X-CSRF-TOKEN instead

---

or it's not needed because people should use router.visit() instead 🤔
for context, i'm using wretch here

[skryukov]

Yup, sounds great 🙏

[youyoumu]

ok. i just created the PR #171 😄