protect_from_forgery :only => [:create, :delete, :update]
(1)why do i need to put it in when i get an authenticate token error
from passing an :id from the controller through AJAX?
(2)are there any disadvantages in doing this(does this expose security
(3)If it is that good should i use it in every controller?
from ruby api( i still don't understand what this means):
Protecting controller actions from CSRF attacks by ensuring that all
forms are coming from the current web application, not a forged link
from another site, is done by embedding a token based on the session
(which an attacker wouldn‘t know) in all forms and Ajax requests
generated by Rails and then verifying the authenticity of that token
will not protect your XML API (presumably you‘ll have a different
authentication scheme there anyway). Also, GET requests are not
protected as these should be indempotent anyway.