You might not know that Rails disables CSRF protection in tests Show archive.org snapshot . This means that if you accidentally forget to send the CSRF token for non-GET requests, your tests will be green even though your application is completely broken (a failed CSRF check usually logs out the user). Rails probably does this because CSRF protection sort of requires Javascript.
You want to enable CSRF protection in Cucumber scenarios that can speak Javascript. To do so, copy the attached file to features/support. For this to work you also need the following things:
Posted by Henning Koch to makandra dev (2013-10-08 12:58)