From fb9e40b701fea5b37b81f4d97976372630d507fa Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 1 May 2011 12:17:00 -0700
Subject: [PATCH] Document the ability to modify XSRF protection by overriding
 check_xsrf_cookie.

Closes #254
---
 website/templates/documentation.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt
index b04ed8ad..31b31343 100644
--- a/website/templates/documentation.txt
+++ b/website/templates/documentation.txt
@@ -456,6 +456,14 @@ For `PUT` and `DELETE` requests (as well as `POST` requests that do not
 use form-encoded arguments), the XSRF token may also be passed via
 an HTTP header named `X-XSRFToken`.
 
+If you need to customize XSRF behavior on a per-handler basis, you can
+override `RequestHandler.check_xsrf_cookie()`.  For example, if you have
+an API whose authentication does not use cookies, you may want to disable
+XSRF protection by making `check_xsrf_cookie()` do nothing.  However, if
+you support both cookie and non-cookie-based authentication, it is important
+that XSRF protection be used whenever the current request is authenticated
+with a cookie.
+
 
 ### Static files and aggressive file caching