Even if you disable it in your app_controller, your individual controller can enable this protection. Since my wild guess is that this is what you want to do. If not tell me more about this.
function beforeFilter(){ parent::beforeFilter(); if(isset($this->Security) && $this->RequestHandler->isAjax() && $this->action = 'add'){ $this->Security->enabled = false; } }
You can read about it here . Hope this solves your problem.