Hi!
The current README states regarding converting a standard app into a rails-api app:
"And comment out the protect_from_forgery call if you are using it."
However, Rails seems to recommend the following, per the comment in the application controller (at least in Rails 4):
"Prevent CSRF attacks by raising an exception.
For APIs, you may want to use :null_session instead."
I don't follow exactly why they are recommending null_session - is it because they're assuming your app isn't solely an API?
In any case, it would be great if this can be addressed in the README because otherwise it will be confusing as how to proceed, as the Rails comments contradict the advice given here.
Thanks!