diff options
Diffstat (limited to 'docs/narr')
| -rw-r--r-- | docs/narr/security.rst | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index 94469ba48..f6794dc2c 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -944,7 +944,9 @@ that it matches one of the trusted origins. By default the only trusted origin is the current host, however additional origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they are non-standard). If a host in the list of domains starts with a ``.`` then -that will allow all subdomains as well as the domain without the ``.``. +that will allow all subdomains as well as the domain without the ``.``. If no +``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check +will fail unless the ``allow_no_origin`` is set. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This |