When this option is enabled, Hudson will check for a generated nonce value, or "crumb", on any request that may cause a change on the Hudson server. This includes any form submission and calls to the remote API.
More information about CSRF exploits can be found here.