A feature in Rails that protects against CROSS-SITE-REQUEST-FORGERY attacks. This ensures that the request received is in fact coming from the session of the authorized user, To make this happen protect_from_forgery will automatically include a security token(HIDDEN ID), calculated from the current session and the server-side secret, in all the forms and Ajax requests generated by Rails. The secret is not needed if we use cookie as session storage. If the security token doesn’t match what was expected, the session will be reset. This prevents malicious forms on other sites or forms inserted with XSS from submitting to the Rails application.
In rails updated version, It added in ApplicationController.
class ApplicationController < ActionController::Base
if we want to disable CSRF protection for specific controller, We need to add
class XxxxxxController < ApplicationController
whatever controllers we don’t want to be affected: