From b636406043ccff66d6f8a84d3c081390d85fcc8e Mon Sep 17 00:00:00 2001 From: Alexey Elin Date: Sat, 16 Jan 2021 09:13:59 +0300 Subject: [PATCH] docs: fix broken link to XSRF common protection mechanism (#40458) PR Close #40458 --- aio/content/guide/http.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aio/content/guide/http.md b/aio/content/guide/http.md index ec5c7be765..f401e48d5f 100644 --- a/aio/content/guide/http.md +++ b/aio/content/guide/http.md @@ -995,7 +995,7 @@ consider moving it to a utility function or into the `PackageSearchService` itse ## Security: XSRF protection [Cross-Site Request Forgery (XSRF or CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. -`HttpClient` supports a [common mechanism](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) used to prevent XSRF attacks. +`HttpClient` supports a [common mechanism](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-header_token) used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default `XSRF-TOKEN`, and sets it as an HTTP header, `X-XSRF-TOKEN`. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.