Running ruby 1.9.3 and Rails 3.2.8. I feel like I'm not fully understanding how CSRF works.
I have `protect_from_forgery` in my ApplicationController. So, now should all non-GET requests require an authentication token? Specifically, I have a `destroy`method that doesn't seem to care if a token is present or not. (I can submit a curl request in terminal, and it doesn't balk.) Does being in development have something to do with it? Thanks. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/HHn_rlYXHzsJ. For more options, visit https://groups.google.com/groups/opt_out.
