What happens when the user views a form in the browser for a resource, rails application creates a random string as a authenticity token and store that random token in the session and when the form generates, it places that token in the form as a hidden variable and when user submits the forms rails looks for that token and compare it with the token that is stored in the session and if both the tokens match the form request will be allowed to continue. And the good thing is attacker does not have the access of the token.The authenticity token is designed just for you so that your form is being submitted from your application only to protect CSRF(Cross-site request forgery) attacks.

Notes:

Rails only checks POST, PUT, and DELETE requests. GET requests are not protected because they don't leak sensitive information and things like writing to database.

Lessons:

Use authenticity token to protect your POST, PUT, and DELETE requests. Also make sure that GET requests should not modify resources.

If you want to skip checking the authenticity token at some functions use this

skip_before_filter :verify_authenticity_token, :only => [:upload_csv]