From 33bada212f31c9017e55b7cad6f2cccfc930ebf1 Mon Sep 17 00:00:00 2001
From: Nick Sweeting <github@sweeting.me>
Date: Wed, 8 May 2024 19:15:51 -0700
Subject: [PATCH] Updated Setting up Authentication (markdown)

---
 Setting-up-Authentication.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Setting-up-Authentication.md b/Setting-up-Authentication.md
index d956b90..b423a63 100644
--- a/Setting-up-Authentication.md
+++ b/Setting-up-Authentication.md
@@ -211,10 +211,10 @@ curl -X 'GET' \
 
 ### API Session Cookie Authentication
 
-> [!DANGER]
+> [!CAUTION]
 > We recommend sticking to header-based authentication and not using this method unless you fully understand the security risks.
 
-Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an important security principle that protects you from CSRF/CORS attacks originating from JS served to users on websites you don't control.
+Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
 
 You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but