The first concern for every application is its security, so rails by default provides a method protect_from_forgery, which is always present by default in your application, whenever you create a new application. i.e.

class ApplicationController < ActionController::Base
  protect_from_forgery
end

So whenever you create a form in your rails application, in a hidden field, it always has a token, which gets sent by default so that, the rails application recognizes that the request has come from the same application. This protect_from_forgery verifies all requests except the GET and HEAD requests. Here we will discuss what options are available in this:

1. Completely skipping:

We can completely skip the protect_from_forgery, if our application is purely api based and we don't want any checks for forgery. It can be done by adding this line of code.

skip_before_action :verify_authenticity_token

2. Customizing for specific actions:

Like all the other rails filters, it also supports :only/:except options, so you can add the your methods in these blocks:

class ApplicationController < ActionController::Base
  
  protect_from_forgery except: [:login, :signup]

  ## or

  protect_from_forgery only: [:edit, :show]
end

3. Providing blocks/conditions:

It supports :if/:unless options too, so you can provide conditions here, regarding when you want to protect_from_forgery to work or not.

protect_from_forgery if: :some_condition 

4. :with  

 It is used to set the method to handle unverified request.

5. There are few methods available to handle the unverified requests, which are:

a) exception: It is present by default with the rails application and raises ActionController::InvalidAuthenticityToken exception.

b) reset_session: It resets all the available sessions.

c) null_session:  It provides an empty session during request but doesn't reset it. It is used as default when :with option is not specified.