protect_from_forgery :only => [:create, :delete, :update] what does this do exactly?

protect_from_forgery :only => [:create, :delete, :update]

Questions:

(1)why do i need to put it in when i get an authenticate token error
from passing an :id from the controller through AJAX?
(2)are there any disadvantages in doing this(does this expose security
loopholes)?
(3)If it is that good should i use it in every controller?

from ruby api( i still don't understand what this means):
Protecting controller actions from CSRF attacks by ensuring that all
forms are coming from the current web application, not a forged link
from another site, is done by embedding a token based on the session
(which an attacker wouldn‘t know) in all forms and Ajax requests
generated by Rails and then verifying the authenticity of that token
in the controller. Only HTML/JavaScript requests are checked, so this
will not protect your XML API (presumably you‘ll have a different
authentication scheme there anyway). Also, GET requests are not
protected as these should be indempotent anyway.

(3)If it is that good should i use it in every controller?. Somebody
must thinkk so because it is the default in every app built.

In production mode it’s a default? Sorry still haven't got my app out of
development mode so I have no idea what happens during production.

[mailto:rubyonrails-talk@googlegroups.com] On Behalf Of Jorg Lueke

It's the default in any rails 2.0 project.

How come I have to add it in my controller to get rid of token error?

[mailto:rubyonrails-talk@googlegroups.com] On Behalf Of Jorg Lueke

The protect_from_forgery is on by default to prevent Cross Site
Request Forgery attacks.

You don't normally have to add this to your controller. What you are
actually doing in this case is adding the call so that your ajax
method is NOT protected from attacks.
It might make more sense to use the following:

protect_from_forgery :except => :your_ajax_method

The end result should be the same.
And listing which methods should not have protection is probably a
more robust solution, since forgetting to add to the :except list will
generate the kind of error you are seeing. Forgetting to add methods
to the :only list will not generate any error messages.

If you do not want to exclude your ajax method, your ajax submission
needs to include the token. This is done automatically by the
framework for most forms.

how do i find what ajax method is being used?. could you possibly give
an example?