From f83e1aeb6bda730a5a441f828fcb133ca1a62e4f Mon Sep 17 00:00:00 2001
From: Nick Sweeting <github@sweeting.me>
Date: Wed, 8 May 2024 19:39:51 -0700
Subject: [PATCH] Updated Setting up Authentication (markdown)

---
 Setting-up-Authentication.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Setting-up-Authentication.md b/Setting-up-Authentication.md
index 07d39f4..0ceb932 100644
--- a/Setting-up-Authentication.md
+++ b/Setting-up-Authentication.md
@@ -211,7 +211,7 @@ curl -X 'GET' \
 
 > Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).
 
-Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. By default, this only allows you to make requests from the same domain ArchiveBox is being served on (e.g. from browser devtools open on an ArchiveBox page. To allow incoming POST requests from other domains **that you trust**, you must add them to the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) config option.
+Log in via the Admin Web UI: `/admin/login/`, you can then re-use your login session id (stored in the `sessionid` cookie) for REST API requests. By default, this only allows you to make requests from the same domain ArchiveBox is being served on (e.g. from browser devtools open on an ArchiveBox page). To allow incoming POST requests from other domains **that you trust**, you must add them to the [`CSRF_TRUSTED_ORIGINS`](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins) config option.
 
 ```bash
 curl -X 'GET' \
@@ -220,6 +220,8 @@ curl -X 'GET' \
   -H 'Cookie: sessionid=YOURSESSIONIDVALUEHERE'
 ```
 
+<small>This method can also be used safely for requests <i>outside a browser environment</i> (where CSRF/CORS restrictions do not apply),<br/>e.g. many tools like `curl`, `wget`, Postman, etc. can use cookies for request authentication.</small>
+
 <br/>
 
 ### API HTTP Basic Authentication