Update Phoenix.Endpoint doc regarding the check_csrf opt

Cannot be disabled with `check_origin` disabled as well
phoenixframework · Oct 24, 2024 · 0f3fdab · 0f3fdab
1 parent f9a8f29
commit 0f3fdab
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/phoenix/endpoint.ex b/lib/phoenix/endpoint.ex
@@ -859,8 +859,8 @@ defmodule Phoenix.Endpoint do
       The MFA is invoked with the request `%URI{}` as the first argument,
       followed by arguments in the MFA list, and must return a boolean.
 
-    * `:check_csrf` - if the transport should perform CSRF check. If `origin` check is disabled as
-    well as CSRF check, your app is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks.
+    * `:check_csrf` - if the transport should perform CSRF check. Note that disabling
+    both CSRF and origin checks at the same time is not allowed and will raise.
     Defaults to `true`
 
     * `:code_reloader` - enable or disable the code reloader. Defaults to your

diff --git a/lib/phoenix/socket/transport.ex b/lib/phoenix/socket/transport.ex
@@ -463,7 +463,7 @@ defmodule Phoenix.Socket.Transport do
 
     * `:user_agent` - the value of the "user-agent" request header
 
-  The CSRF check can be disabled with the `:check_csrf` option.
+  The CSRF check can be disabled by setting the `:check_csrf` option to `false`.
   """
   def connect_info(conn, endpoint, keys, opts \\ []) do
     for key <- keys, into: %{} do