From a40f2187fb4a7b68553acb501ac31a1039363c4d Mon Sep 17 00:00:00 2001
From: "J. Degand" <70610011+jdegand@users.noreply.github.com>
Date: Sun, 1 Sep 2024 00:33:03 -0400
Subject: [PATCH] docs(angular): add HTTPClient CSRF protection content (#6922)

* docs(angular): add XSRF protection content

* docs(angular): move xsrf content to correct file

* fix: remove extra line
---
 .../content/httpclient-csrf@m2aw8vb4rz4IjshpoMyNx.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/data/roadmaps/angular/content/httpclient-csrf@m2aw8vb4rz4IjshpoMyNx.md b/src/data/roadmaps/angular/content/httpclient-csrf@m2aw8vb4rz4IjshpoMyNx.md
index 8a1840657..8f854d669 100644
--- a/src/data/roadmaps/angular/content/httpclient-csrf@m2aw8vb4rz4IjshpoMyNx.md
+++ b/src/data/roadmaps/angular/content/httpclient-csrf@m2aw8vb4rz4IjshpoMyNx.md
@@ -1 +1,11 @@
-# HttpClient CSRF
\ No newline at end of file
+# HttpClient CSRF
+
+HttpClient includes a built-in mechanism to prevent XSRF attacks. When making HTTP requests, an interceptor reads a token from a cookie (default name: XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only code running on your domain can read this cookie, the backend can verify that the HTTP request originates from your client application and not from an attacker.
+
+However, HttpClient only handles the client-side aspect of XSRF protection. Your backend service must be configured to set the cookie for your page and verify that the header is present on all relevant requests. Without this backend configuration, Angular’s default XSRF protection will not be effective.
+
+Visit the following resources to learn more:
+
+- [@official@Angular Official Docs - Security](https://angular.dev/best-practices/security#httpclient-xsrf-csrf-security)
+- [@article@How can you protect Angular Web app from cross site request forgery?](https://www.linkedin.com/advice/3/how-can-you-protect-angular-web-app-from-cross-site-pyqwc)
+- [@article@Cross Site Request Forgery: XSRF protection in Angular](https://borstch.com/blog/development/cross-site-request-forgery-xsrf-protection-in-angular)
\ No newline at end of file