I ran into a small gotcha when trying to add protect_from_forgery to an existing Rails 1.x app, where you need to disable request forgery protection for the test environment. This is done by default for apps generated by Rails 2.0, but is not documented.
I'd like to see this tiny doc patch added, to spare people this hiccup when moving to Rails 2.0.
http://dev.rubyonrails.org/ticket/10440
Thanks, - Trevor
