As I mentioned in a previous blog, Rails recently introduced RequestForgeryProtection. I wanted to take full advantage of this functionality to help protect against CSRF-based attacks. I realize it's not a perfect method, but every layer helps. One of the observations I made when reviewing some of my code is that I had a number of actions within my controllers that did not validate the type of HTTP method supplied. Therefore, actions like deleting a blog or media file would work regardless of the HTTP method provided by the user as long as the user was logged in. Not a huge problem, right? Well, not quite.