protect_from_forgery in Rails 6?
For rails 5.2 and higher is enabled by default on ActionController::Base. Check out this commit:https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
* Protect from forgery by default Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base depending on `config.action_controller.default_protect_from_forgery`. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.
In official docs: https://edgeguides.rubyonrails.org/configuring.html
config.action_controller.default_protect_from_forgery determines whetherforgery protection is added on ActionController:Base. This is false by default.