diff --git a/aio/content/guide/http.md b/aio/content/guide/http.md index 2ba16fd053..79ddf7a438 100644 --- a/aio/content/guide/http.md +++ b/aio/content/guide/http.md @@ -951,7 +951,7 @@ by returning an observable of simulated events. ## Security: XSRF protection -[Cross-Site Request Forgery (XSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. +[Cross-Site Request Forgery (XSRF or CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. `HttpClient` supports a [common mechanism](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default `XSRF-TOKEN`, and sets it as an HTTP header, `X-XSRF-TOKEN`. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker. diff --git a/aio/content/guide/security.md b/aio/content/guide/security.md index 19aeeb39bf..2dd439d7d2 100644 --- a/aio/content/guide/security.md +++ b/aio/content/guide/security.md @@ -276,7 +276,7 @@ This technique is effective because all browsers implement the _same origin poli on which cookies are set can read the cookies from that site and set custom headers on requests to that site. That means only your application can read this cookie token and set the custom header. The malicious code on `evil.com` can't. -Angular's `HttpClient` has built-in support for the client-side half of this technique. Read about it more in the [HttpClient guide](/guide/http). +Angular's `HttpClient` has built-in support for the client-side half of this technique. Read about it more in the [HttpClient guide](/guide/http#security-xsrf-protection). For information about CSRF at the Open Web Application Security Project (OWASP), see Cross-Site Request Forgery (CSRF) and