When to use/not to use protect_from_forgery

Question

I know how to enable/disable authenticity token verification, but I don't know when it makes sense to enable it.

For example in a rails app, what I understood is the following. kindly let me know if I got it wrong

Web:

• public pages (unlogged) should enable authenticity token verification
• authentication pages (sign-in, sign-up, lost password ...) should enable authenticity token verification
• private pages (logged-in) do not need to enable authenticity token verification

Api:

• public api (unlogged, JSON access) should enable authenticity token verification
• authentication api (sign-in, sign-up, lost password ..., JSON access) should enable authenticity token verification
• private api (logged-in, JSON access) do not need to enable authenticity token verification

Answer 1

It's not correct that private pages do not need to enable CSRF protection. Private pages, where the user is authenticated, are the ones that are vulnerable to CSRF. In this attack, somebody who is logged in is tricked (by clicking a link in an email, for example) into taking action they didn't intend to - which the site accepts, because it comes from a logged-in user with a valid session. protect_from_forgery prevents this by ensuring that non-GET requests can only be initiated from the site itself, by a user who is aware of the action they're taking.