actionpack/lib/action_controller/metal/request_forgery_protection.rb · main · Rails relative code / rails-deleted-2

Feb 20, 2025

Do cheap/happy check first in `verified_request?` · e133b388

Hartley McGuire authored Feb 20, 2025

Since Rails 5.2, Action Controller enables `protect_from_forgery` by
default. `verified_request?` is called in a `before_action` to perform a
series of checks to ensure the request should proceed.

This commit reorders the checks so that the cheaper ones happen first,
which allows the method to return more quickly in cases that the request
does not need to be protected (GET/HEAD requests).

In the `r10k` benchmark, `verified_request?` shows up as ~2% in a
profile before this change and does not show up afterwards.

e133b388

Do cheap/happy check first in `verified_request?`

Hartley McGuire authored Feb 20, 2025

Since Rails 5.2, Action Controller enables `protect_from_forgery` by
default. `verified_request?` is called in a `before_action` to perform a
series of checks to ensure the request should proceed.

This commit reorders the checks so that the cheaper ones happen first,
which allows the method to return more quickly in cases that the request
does not need to be protected (GET/HEAD requests).

In the `r10k` benchmark, `verified_request?` shows up as ~2% in a
profile before this change and does not show up afterwards.