protect_from_forgery is not prepended by default

so it has to appear before devise's auth methods

app/controllers/application_controller.rb

@@ -4,6 +4,8 @@ class ApplicationController < ActionController::Base
   include HasFilters
   include HasOrders
 
+  protect_from_forgery with: :exception
+
   before_action :authenticate_http_basic, if: :http_basic_auth_site?
 
   before_action :ensure_signup_complete
@@ -15,8 +17,6 @@ class ApplicationController < ActionController::Base
   check_authorization unless: :devise_controller?
   self.responder = ApplicationResponder
 
-  protect_from_forgery with: :exception
-
   rescue_from CanCan::AccessDenied do |exception|
     respond_to do |format|
       format.html { redirect_to main_app.root_url, alert: exception.message }