From 21d5beaed1641e1f50ab1ab3c481b1c8f3ad1173 Mon Sep 17 00:00:00 2001
From: Donald Stufft <donald@stufft.io>
Date: Fri, 15 Apr 2016 17:59:55 -0400
Subject: Have Automatic CSRF on all unsafe HTTP methods

Instead of only protecting against unsafe POST requests, have the automatic
CSRF protect on all methods which are not defined as "safe" by RFC2616.
---
 docs/whatsnew-1.7.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'docs/whatsnew-1.7.rst')

diff --git a/docs/whatsnew-1.7.rst b/docs/whatsnew-1.7.rst
index 83ece690e..b85e65ec1 100644
--- a/docs/whatsnew-1.7.rst
+++ b/docs/whatsnew-1.7.rst
@@ -39,14 +39,14 @@ Feature Additions
   to security checks. See https://github.com/Pylons/pyramid/pull/2021
 
 - Added a new setting, ``pyramid.require_default_csrf`` which may be used
-  to turn on CSRF checks globally for every POST request in the application.
+  to turn on CSRF checks globally for every request in the application.
   This should be considered a good default for websites built on Pyramid.
   It is possible to opt-out of CSRF checks on a per-view basis by setting
   ``require_csrf=False`` on those views.
   See :ref:`auto_csrf_checking` and
   https://github.com/Pylons/pyramid/pull/2413
 
-- Added a ``require_csrf`` view option which will enforce CSRF checks on POST
+- Added a ``require_csrf`` view option which will enforce CSRF checks on
   requests. If the CSRF check fails a ``BadCSRFToken`` exception will be
   raised and may be caught by exception views (the default response is a
   ``400 Bad Request``). This option should be used in place of the deprecated
-- 
cgit v1.2.3