Avoid user enumeration with devise paranoid mode (#1527)

2017-04-11 14:21:15 +02:00
parent c9b9225951
commit a85d4473aa
1 changed files with 2 additions and 1 deletions
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -74,7 +74,8 @@ Devise.setup do |config|
  # It will change confirmation, password recovery and other workflows
  # to behave the same regardless if the e-mail provided was right or wrong.
  # Does not affect registerable.
-  # config.paranoid = true
+  # See : https://github.com/plataformatec/devise/wiki/How-To:-Using-paranoid-mode,-avoid-user-enumeration-on-registerable
+  config.paranoid = true

  # By default Devise will store the user in session. You can skip storage for
  # particular strategies by setting this option.