Request - Response from php server to ruby on rails server. CSRF token issue

If are using the rails controller as an API, protecting with CSRF tokens doesn't make sense. As the name Cross-Site Request Forgery tokens say, they prevent your app from being accessed from anywhere other than the views generated by the same web app.

So, you should disable CSRF in your case and use the authenticity token.

Answering your question with how to securely use this authenticity token on rails app, if you have any user management, assign authenticity tokens to users and find user with a sent token and you know if that user is allowed to make that request. If you don't have a user management, create a database table for authenticity tokens and validate the requests based on what you have in database.

You could write a custom before_filter in application_controller and perform the authentication or authorization based on the authenticity_token in the request.

P.S, if you are worried about the authenticity_token being visible for attackers in the network while sending requests, use https.

If Rails app is used as an API server, then simply add protect_from_forgery with: :null_session in appropriate controller.