module ActionController::RequestForgeryProtection::ClassMethods

def protect_from_forgery(options = {})

* :only/:except - Passed to the before_filter call. Set which actions are verified.

Valid Options:

skip_before_filter :verify_authenticity_token, :except => [:create]

It can also be disabled for specific controller actions:

skip_before_filter :verify_authenticity_token

You can disable csrf protection on controller-by-controller basis:

protect_from_forgery :except => :index
class FooController < ApplicationController

Example:

Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
def protect_from_forgery(options = {})
  self.request_forgery_protection_token ||= :authenticity_token
  prepend_before_filter :verify_authenticity_token, options
end