diff options
Diffstat (limited to 'docs/topics')
| -rw-r--r-- | docs/topics/security.txt | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt index eb1172e7e8..ff33e8be6d 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -65,10 +65,10 @@ this if you know what you are doing. There are other :ref:`limitations <csrf-limitations>` if your site has subdomains that are outside of your control. -:ref:`CSRF protection works <how-csrf-works>` by checking for a nonce in each +:ref:`CSRF protection works <how-csrf-works>` by checking for a secret in each POST request. This ensures that a malicious user cannot simply "replay" a form POST to your website and have another logged in user unwittingly submit that -form. The malicious user would have to know the nonce, which is user specific +form. The malicious user would have to know the secret, which is user specific (using a cookie). When deployed with :ref:`HTTPS <security-recommendation-ssl>`, |
