diff --git a/www/content/docs.md b/www/content/docs.md index 8ec3d183f..49a7a548f 100644 --- a/www/content/docs.md +++ b/www/content/docs.md @@ -1697,6 +1697,8 @@ for exploring this topic. The assignment and checking of CSRF tokens are typically backend responsibilities, but `htmx` can support returning the CSRF token automatically with every request using the `hx-headers` attribute. The attribute needs to be added to the element issuing the request or one of its ancestor elements. This makes the `html` and `body` elements effective global vehicles for adding the CSRF token to the `HTTP` request header, as illustrated below. +Note: `hx-boost` does not not update the `` or `` tags; if using this feature with `hx-boost`, make sure to include the CSRF token on an element that _will_ get replaced. Many web frameworks support automatically inserting the CSRF token as a hidden input in HTML forms. This is encouraged whenever possible. + ```html :