Override the protect_from_forgery strategy in a controller

Question

I want to build a rails app with two different protect_from_forgery strategies: one for the web application, and one for the API.

In my application controller I have thi

Answer 1

What if you leave the protect_from_forgery with: :exception in the application controller but then you put the following in your API controller?

skip_before_action :protect_from_forgery
protect_from_forgery with: :null_session

That way, you still get the standard CSRF attack protection for all controllers in your web application but you also get the null session behavior for your API methods.