summaryrefslogtreecommitdiff
path: root/docs/narr
diff options
context:
space:
mode:
Diffstat (limited to 'docs/narr')
-rw-r--r--docs/narr/sessions.rst9
-rw-r--r--docs/narr/viewconfig.rst9
2 files changed, 10 insertions, 8 deletions
diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst
index ad086268b..0e895ff81 100644
--- a/docs/narr/sessions.rst
+++ b/docs/narr/sessions.rst
@@ -411,15 +411,16 @@ Checking CSRF Tokens Automatically
.. versionadded:: 1.7
-:app:`Pyramid` supports automatically checking CSRF tokens on POST requests.
-Any other request may be checked manually. This feature can be turned on
-globally for an application using the ``pyramid.require_default_csrf`` setting.
+:app:`Pyramid` supports automatically checking CSRF tokens on requests with an
+unsafe method as defined by RFC2616. Any other request may be checked manually.
+This feature can be turned on globally for an application using the
+``pyramid.require_default_csrf`` setting.
If the ``pyramid.required_default_csrf`` setting is a :term:`truthy string` or
``True`` then the default CSRF token parameter will be ``csrf_token``. If a
different token is desired, it may be passed as the value. Finally, a
:term:`falsey string` or ``False`` will turn off automatic CSRF checking
-globally on every POST request.
+globally on every request.
No matter what, CSRF checking may be explicitly enabled or disabled on a
per-view basis using the ``require_csrf`` view option. This option is of the
diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst
index 40db5fbeb..3b8f0353a 100644
--- a/docs/narr/viewconfig.rst
+++ b/docs/narr/viewconfig.rst
@@ -195,10 +195,11 @@ Non-Predicate Arguments
``require_csrf``
- CSRF checks only affect POST requests. Any other request methods will pass
- untouched. This option is used in combination with the
- ``pyramid.require_default_csrf`` setting to control which request parameters
- are checked for CSRF tokens.
+ CSRF checks will affect any request method that is not defined as a "safe"
+ method by RFC2616. In pratice this means that GET, HEAD, OPTIONS, and TRACE
+ methods will pass untouched and all others methods will require CSRF. This
+ option is used in combination with the ``pyramid.require_default_csrf``
+ setting to control which request parameters are checked for CSRF tokens.
This feature requires a configured :term:`session factory`.
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-23 19:58:45 +0000