Methods
P
Instance Public methods
protect_from_forgery(options = {})

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.

Example: 

  class FooController < ApplicationController
    protect_from_forgery :except => :index

You can disable csrf protection on controller-by-controller basis: 

  skip_before_filter :verify_authenticity_token

It can also be disabled for specific controller actions: 

  skip_before_filter :verify_authenticity_token, :except => [:create]

Valid Options:

  • :only/:except - Passed to the before_filter call. Set which actions are verified.

Source: show | on GitHub 

    # File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 67
67:       def protect_from_forgery(options = {})
68:         self.request_forgery_protection_token ||= :authenticity_token
69:         prepend_before_filter :verify_authenticity_token, options
70:       end