We are creating mobile support for our ruby on rails website, and ran into the problems of handling authenticity tokens.
As previous articles have mentioned, authenticity tokens are created on the rails server when a form is created then placed on a form page to prevent tampering.
Understanding the Rails Authenticity Token
Now we can handle the requests from a mobile phone by disabling the csrf protect_from_forgery
My question is what is the best way of secure external mobile post interfaces to our ruby on rails instance?
You could use OAuth. The app would present the server with a key and secret, that the server could validate. In response, the server gives the app a token. All subsequent requests made by the client must include the token in an Authentication header.
This would ensure, that only authorized clients access your server. And to be authorized, a client would have to acquire a token using a known-only-to-the-client-and-server key and secret.
I am sure there are other solutions too, but you get the idea.