also mention the csrf_token helper

mojolicious · Feb 7, 2016 · c881b68 · c881b68
1 parent 30efdec
commit c881b68
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,5 @@
 
-6.45  2016-02-06
+6.45  2016-02-07
 
 6.44  2016-02-04
   - Removed deprecated format_regex attribute from Mojolicious::Routes::Pattern.

diff --git a/lib/Mojolicious/Guides/Rendering.pod b/lib/Mojolicious/Guides/Rendering.pod
@@ -947,9 +947,10 @@ L<Mojolicious::Validator::Validation/"error">.
 =head2 Cross-site request forgery
 
 CSRF is a very common attack on web applications that trick your logged in
-users to submit forms they did not intend to send. All you have to do, to
-protect your users from this, is to add an additional hidden field to your
-forms with L<Mojolicious::Plugin::TagHelpers/"csrf_field">, and validate it with
+users to submit forms they did not intend to send, with something as mundane as
+a link. All you have to do, to protect your users from this, is to add an
+additional hidden field to your forms with
+L<Mojolicious::Plugin::TagHelpers/"csrf_field">, and validate it with
 L<Mojolicious::Validator::Validation/"csrf_protect">.
 
   use Mojolicious::Lite;
@@ -985,7 +986,9 @@ L<Mojolicious::Validator::Validation/"csrf_protect">.
     </body>
   </html>
 
-The token can also be submitted with the C<X-CSRF-Token> request header.
+For Ajax requests and the like, you can also generate a token directly with the
+helper L<Mojolicious::Plugin::DefaultHelpers/"csrf_token">, and then pass it
+along with the C<X-CSRF-Token> request header.
 
 =head1 ADVANCED