From 874c6331d2aec9e2e6fd0efe63468d3d9fa7810a Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Sun, 14 Dec 2014 23:51:00 +0300
Subject: [PATCH] A plan on security guide CSRF section

---
 docs/guide/security-best-practices.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md
index bd8cab4..70bd020 100644
--- a/docs/guide/security-best-practices.md
+++ b/docs/guide/security-best-practices.md
@@ -120,7 +120,12 @@ Note that HtmlPurifier processing is quite heavy so consider adding caching.
 Avoiding CSRF
 -------------
 
-TBD
+TBD: what's CSRF, how it works, intro
+
+1. Follow HTTP specification i.e. GET should not change application state.
+2. Keep Yii CSRF protection enabled.
+
+TBD: how CSRF protection works
 
 
 Avoiding file exposure