EDIT:
In Rails 4 I now use what @genkilabs suggests in the comment below:
protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.format == 'application/json' }
Which, instead of completely turning off the built in security, kills off any session that might exist when something hits the server without the CSRF token.
skip_before_filter :verify_authenticity_token, :if => Proc.new { |c| c.request.format == 'application/json' }
This would turn off the CSRF check for json posts/puts that have properly been marked as such.
For example, in iOS setting the following to your NSURLRequest where “parameters” are your parameters:
[request setHTTPMethod:@"POST"];
[request setValue:@"application/json"
forHTTPHeaderField:@"content-type"];
[request setValue:@"application/json"
forHTTPHeaderField:@"accept"];
[request setHTTPBody:[NSData dataWithBytes:[parameters UTF8String]
length:[parameters length]]];