I feel like I'm not fully understanding how CSRF works.
I have `protect_from_forgery` in my ApplicationController.
So, now should all non-GET requests require an authentication token?
Specifically, I have a `destroy`method that doesn't seem to care if a token is present or not.
(I can submit a curl request in terminal, and it doesn't balk.)
Does being in development have something to do with it?
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to firstname.lastname@example.org.
To unsubscribe from this group, send email to email@example.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/HHn_rlYXHzsJ.
For more options, visit https://groups.google.com/groups/opt_out.