Currently, the handler for CSRF errors works for HTML requests and JS requests, but not for JSON requests:
This is resulting in a lot of errors from the hit count endpoint in New Relic. The handler should be modified to return a reasonable value for JSON requests. (In fact, since the JS handler returns JSON, it might work to just return the same thing for both JS and JSON requests.)
Disable all cookies.
View a work on staging.
Make sure that the ActionController::UnknownFormat error doesn't appear in New Relic.