diff --git a/Setting-up-Authentication.md b/Setting-up-Authentication.md index 5858b5e..967030d 100644 --- a/Setting-up-Authentication.md +++ b/Setting-up-Authentication.md @@ -204,11 +204,12 @@ curl -X 'GET' \ ### API Session Cookie Authentication > [!CAUTION] -> We recommend sticking to header-based authentication and not using this method unless you fully understand the CSRF/CORS security risks. +> We recommend sticking to header-based authentication and not using this method unless you deeply understand the CSRF/CORS security risks. +> This method is mostly useful when testing API requests in the browser during development, as it lets you avoid having to manually attach a key to every request. -Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks). - -You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but +> Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks). +> +> You can tell browsers to allow incoming POST requests from specific domains you trust using the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) option. but Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. This makes it convenient to test API requests from a browser environment where you're already logged in.