Merge pull request #171 from youyoumu/docs/csrf-protection

bknoles · web-flow · commit cb692ebc067b · 2025-01-10T22:49:27.000-06:00
Add note about X-XSRF-TOKEN header
diff --git a/docs/guide/csrf-protection.md b/docs/guide/csrf-protection.md
@@ -57,6 +57,9 @@ Axios automatically checks for the existence of an `XSRF-TOKEN` cookie. If it's
 
 The easiest way to implement this is using server-side middleware. Simply include the `XSRF-TOKEN` cookie on each response, and then verify the token using the `X-XSRF-TOKEN` header sent in the requests from axios. (That's basically what `inertia_rails` does).
 
+> [!NOTE]
+> `X-XSRF-TOKEN` header only works for [Inertia requests](/guide/the-protocol#inertia-responses). If you want to send a normal request you can use `X-CSRF-TOKEN` instead.
+
 ## Handling mismatches
 
 When a CSRF token mismatch occurs, Rails raises the `ActionController::InvalidAuthenticityToken` error. Since that isn't a valid Inertia response, the error is shown in a modal.
