You can safely remove warnings with the following:
skip_before_filter :verify_authenticity_token
This should be included in every Rails API controller that you have, or if you have a base_controller for all API controllers, then put it there.
If you can also access your application through a web browser, do not put this line in application_controller , as you will create a security vulnerability.
It is safe to remove csrf for API calls, since a specific vulnerability can only be accessed through a web browser.
December 16, 2013 Patch
I saw some links to this answer and other content that offers clarification. The API may be vulnerable to CSRF if you use Internet authentication methods to authenticate APIs, such as sessions or cookies.
There are a few good details. Is your web API susceptible to a CSRF exploit? .
My advice still applies to RestKit users, as user credentials are unlikely to be based on sessions or cookies, but rather on usernames or api.
If your API can be authenticated using session or cookies, you should avoid skipping : verify_authenticity_token , and you should consider switching to api-based authentication.
If your API can be authenticated with a username and password, which is also used for authentication on the Internet, there is still a potential exploit, although it is less serious, as it will require the user to enter the username and password for your site in the Auth HTTP field when visiting a site using an exploit. Again, for better security, you should consider switching to api-based authentication.
It is worth noting that I do not agree that you need to add :only => [:your_method] for additional protection, provided that you have isolated api controllers, your api does not mix with your web responses, and you do not Use session or cookies. If they are in place, you can safely add skip_before_filter to base_controller for your api.