From 9388034295ce7042958e27b595bd339692bcdbc6 Mon Sep 17 00:00:00 2001
From: Christian Wolf <github@christianwolf.email>
Date: Fri, 28 Feb 2025 14:00:32 +0100
Subject: [PATCH] Make CSRF check clearer

Signed-off-by: Christian Wolf <github@christianwolf.email>
---
 developer_manual/basics/controllers.rst | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/developer_manual/basics/controllers.rst b/developer_manual/basics/controllers.rst
index 83f0a8e5d..5b34aa585 100644
--- a/developer_manual/basics/controllers.rst
+++ b/developer_manual/basics/controllers.rst
@@ -799,7 +799,10 @@ By default every controller method enforces the maximum security, which is:
 * Ensure that the user is admin
 * Ensure that the user is logged in
 * Ensure that the user has passed the two-factor challenge, if applicable
-* Check the CSRF token
+* Ensure the request is no CSRF attack, that is at least one of the following:
+
+  - Ensure the CSRF token is present and valid
+  - Ensure the ``OCS-APIRequest`` header is present and set to ``true`` [1]_
 
 Loosening the default restrictions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1023,3 +1026,5 @@ The following policy for instance allows images, audio and videos from other dom
 
 ---
 
+.. [1] Even though the header name ``OCS-APIRequest`` hints purely at OCS controllers, with NC 30 classic controller methods respect this header as well.
+       Until NC 30, classical controller methods did not respect the header.