csrf-token is a required security token Rails introduced to protect against forged requests( CSRF). Rails includes a csrf-token( or authenticity_token) in every page(<meta content="yQ8jOlKSBR+9tCfk6uU6P82h33NxktCgrAtLQBWZX6s=" name="csrf-token">) and every form(<input name="authenticity_token" type="hidden" value="yQ8jOlKSBR+9tCfk6uU6P82h33NxktCgrAtLQBWZX6s=">). And the security token will be sent as parameter in all forms and Ajax requests generated by Rails( not include Ajax requests made by developers themselves). This way Rails can verify that the requests are made from it’s own site, therefore avoid CRSF.

But a lot has changed, today we heavily depend on requests made from other clients than just browser, say we use Rails as an API server, and send requests from an mobile app or web app. CSRF protection is designed to protect the session.