What I do is that I allow the creation of a comment from a mobile device
using XML sending:
<?xml version="1.0" encoding="UTF-8"?>
<body>Comment from curl</body>
So I used protect_from_forgery :only => [:update, :destroy] to be able
to access the :create
But now it is open. As you can see in the request I put the username and
password so the comment can be created.
How should I do this in a secure way? Both regarding the
protect_from_forgery and the username and password transfer?