I’m working on a legacy Rails app. I was told about a few instances where the application is vulnerable to CSRF attacks.
One is a password reset form, I wondered how it could be vulnerable because it has an authenticity token and the accompanying CSRF meta tags. In Chrome I removed the token from the form and submitted, to my surprise it succeeded with no issue at all, the only small indication that something was amiss was a warning in the server log: WARNING: Can't verify CSRF token authenticity. Is this standard behaviour? Shouldn’t the app crash in the dev environment?