[ci skip] Add info about json request and http header for csrf

Author: michalsn

user_guide_src/source/libraries/security.rst

@@ -65,6 +65,22 @@ hidden input field for you::
 	// Generates: <input type="hidden" name="{csrf_token}" value="{csrf_hash}" />
 	<?= csrf_field() ?>
 
+When sending a JSON request the CSRF token can also be passed as one of the parameters.
+The next way to pass the CSRF token is a special Http header that's name is available by
+``csrf_header()`` function.
+
+Additionally, you can use the ``csrf_meta()`` method to generate this handy
+meta tag for you::
+
+	// Generates: <meta name="{csrf_header}" content="{csrf_hash}" />
+	<?= csrf_meta() ?>
+
+The order of checking the avability of the CSRF token is as follows:
+
+- ``$_POST`` array
+- Http header
+- ``php://input`` (JSON request) - bare in mind that this approach is the slowest one since we have to decode JSON and then encode it again
+
 Tokens may be either regenerated on every submission (default) or
 kept the same throughout the life of the CSRF cookie. The default
 regeneration of tokens provides stricter security, but may result