From 14b67b32fed19a30aaf9826ee72f2a29cda604e9 Mon Sep 17 00:00:00 2001
From: Andrew Kane <andrew@chartkick.com>
Date: Tue, 4 Aug 2020 12:20:00 -0700
Subject: [PATCH] Fixed CSRF vulnerability with non-session based
 authentication

---
 CHANGELOG.md                               | 1 +
 app/controllers/pg_hero/home_controller.rb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad87000cd..255e77acc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## 2.6.1 (unreleased)
 
+- Fixed CSRF vulnerability with non-session based authentication
 - Added `database`, `user`, and `query_hash` options to `reset_query_stats` method
 
 ## 2.6.0 (2020-07-09)
diff --git a/app/controllers/pg_hero/home_controller.rb b/app/controllers/pg_hero/home_controller.rb
index 4bd77460d..949241004 100644
--- a/app/controllers/pg_hero/home_controller.rb
+++ b/app/controllers/pg_hero/home_controller.rb
@@ -2,7 +2,7 @@ module PgHero
   class HomeController < ActionController::Base
     layout "pg_hero/application"
 
-    protect_from_forgery
+    protect_from_forgery with: :exception
 
     http_basic_authenticate_with name: PgHero.username, password: PgHero.password if PgHero.password