What is CSRF protection in Rails?

CSRF (Cross-Site Request Forgery) is an attack where a malicious site tricks a logged-in user's browser into making unwanted requests to your app. Rails protects against this with an authenticity token — a unique, secret, session-specific token embedded in all non-GET forms. When a form is submitted, Rails verifies the token. If it's missing or wrong, the request is rejected. This is enabled by default via protect_from_forgery with: :exception in ApplicationController. Rails' form_with helper automatically includes the CSRF token.