I noticed the other day that rails seems to be ignoring authenticity tokens for AJAX requests. For instance, I purposely changed my AJAX call to pass an invalid token but did not manage to get Rails to complain..

I investigate this and provide the answer in this post