ちゃんとドキュメントがあったのでメモ。
ActionController::RequestForgeryProtection
It’s important to remember that XML or JSON requests are also affected and if you’re building an API you should change forgery protection method in ApplicationController (by default: :exception):
