I ran into a small gotcha when trying to add protect_from_forgery to
an existing Rails 1.x app, where you need to disable request forgery
protection for the test environment. This is done by default for apps
generated by Rails 2.0, but is not documented.
I'd like to see this tiny doc patch added, to spare people this hiccup
when moving to Rails 2.0.