From 4c85a36716d175765428dc81903e050c8a570647 Mon Sep 17 00:00:00 2001 From: Yawar Amin Date: Mon, 21 Jul 2025 22:31:35 -0400 Subject: [PATCH] Adjust CSRF recommendation --- www/content/docs.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/www/content/docs.md b/www/content/docs.md index 8ec3d183f..49a7a548f 100644 --- a/www/content/docs.md +++ b/www/content/docs.md @@ -1697,6 +1697,8 @@ for exploring this topic. The assignment and checking of CSRF tokens are typically backend responsibilities, but `htmx` can support returning the CSRF token automatically with every request using the `hx-headers` attribute. The attribute needs to be added to the element issuing the request or one of its ancestor elements. This makes the `html` and `body` elements effective global vehicles for adding the CSRF token to the `HTTP` request header, as illustrated below. +Note: `hx-boost` does not not update the `` or `` tags; if using this feature with `hx-boost`, make sure to include the CSRF token on an element that _will_ get replaced. Many web frameworks support automatically inserting the CSRF token as a hidden input in HTML forms. This is encouraged whenever possible. + ```html :