CSRF protection is turned on with the protect_from_forgery method, which checks the token and resets the session if it doesn’t match what was expected. A call to this method is generated for new Rails applications by default. You can customize the error message by editing public/422.html.
The token parameter is named authenticity_token by default. The name and value of this token must be added to every layout that renders forms by including csrf_meta_tags in the html head.
Learn more about CSRF attacks and securing your application in the Ruby on Rails Security Guide.
…but you’re probably looking for ActionController::RequestForgeryProtection::ClassMethods