# HG changeset patch
# User Sebastien Jodogne <s.jodogne@gmail.com>
# Date 1569871868 -7200
# Node ID 9223c3f26c1a79f3ce792ea2de6e1618304c0a3a
# Parent  2e71e7cc0ec52c6904ddce110ad891c5d94731a0
csrf

diff -r 2e71e7cc0ec5 -r 9223c3f26c1a Sphinx/source/faq/security.rst
--- a/Sphinx/source/faq/security.rst	Tue Sep 24 17:57:27 2019 +0200
+++ b/Sphinx/source/faq/security.rst	Mon Sep 30 21:31:08 2019 +0200
@@ -100,9 +100,14 @@
   user that runs Orthanc.
 
 * Consider implementing a :ref:`higher-level application
-  <improving-interface>` (e.g. in PHP) that takes care of user
-  authentication/authorization, and that is the only one to be
-  allowed to contact the Orthanc REST API.
+  <improving-interface>` (e.g. in PHP, Java, Django...) that takes
+  care of user authentication/authorization, and that is the only one
+  to be allowed to contact the Orthanc REST API. In particular, you
+  must create a higher-level application so as to properly deal with
+  `CSRF attacks
+  <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`__:
+  Indeed, as explained in the introduction, Orthanc is a microservice
+  that is designed to be used within a secured environment.
 
 * For advanced scenarios, you might have interest in the
   :ref:`advanced authorization plugin <authorization>`. Similarly,