Cross site request forgery (CSRF/XSRF) is when a malicious web page tricks users into performing a request that is not intended for example by using bookmarklets, iframes or just by creating a page which is visually similar enough to fool users.
The Rails CSRF protection is made for “classical” web apps – it simply gives a degree of assurance that the request originated from your own web app. A CSRF token works like a secret that only your server knows – Rails generates a random token and stores it in the session. Your forms send the token via a hidden input and Rails verifies that any non GET request includes a token that matches what is stored in the session.
However in an API thats intended to be used cross site and even serve non-browser clients its not very useful due to the problems with cross-domain cookies and providing CSRF tokens.
In that case you should use a token based strategy of authenticating API requests with an API key and secret since you are verifying that the request comes from an approved API client – not from your own app.
You can deactivate CSRF as pointed out by @dcestari:
class ApiController < ActionController::Base
protect_from_forgery with: :null_session
end
Updated. In Rails 5 you can generate API only applications by using the --api option:
rails new appname --api
They do not include the CSRF middleware and many other components that are superflouus.