If the CSRF is disabled, also remove the metatags. Fixes #696

luckyframework · May 14, 2023 · 4917817 · 4917817
1 parent 161fe88
commit 4917817
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/src/browser_app_skeleton/src/components/shared/layout_head.cr b/src/browser_app_skeleton/src/components/shared/layout_head.cr
@@ -7,12 +7,27 @@ class Shared::LayoutHead < BaseComponent
       title "My App - #{@page_title}"
       css_link asset("css/app.css")
       js_link asset("js/app.js"), defer: "true"
-      csrf_meta_tags
+      csrf_meta_tags if include_csrf_tag?
       responsive_meta_tag
 
       # Development helper used with the `lucky watch` command.
       # Reloads the browser when files are updated.
       live_reload_connect_tag if LuckyEnv.development?
     end
   end
+
+  # Cross Site Request Forgery protection is
+  # enabled by default. This includes a hidden input
+  # used in forms when using the `form_for` method.
+  #
+  # This can be disabled by creating a new `config/forms.cr`
+  # file, and setting this to `false`.
+  # ```
+  # Lucky::FormHelpers.configure do |settings|
+  #   settings.include_csrf_tag = false
+  # end
+  # ```
+  private def include_csrf_tag? : Bool
+    Lucky::FormHelpers.settings.include_csrf_tag
+  end
 end