yiisoft · samdark · Jun 29, 2026 · Jun 29, 2026
diff --git a/src/cookbook/disabling-csrf-protection.md b/src/cookbook/disabling-csrf-protection.md
@@ -4,7 +4,7 @@
 
 Cross-Site Request Forgery (CSRF) protection is a security mechanism that prevents malicious websites from making 
 unauthorized requests on behalf of authenticated users. Yii3 includes built-in CSRF protection through 
-the `Yiisoft\Yii\Web\Middleware\Csrf` middleware.
+the `Yiisoft\Yii\Web\Middleware\CsrfTokenMiddleware` middleware.
 
 For a comprehensive understanding of CSRF attacks and protection mechanisms, see
 the [Security best practices](../guide/security/best-practices.md#avoiding-csrf) section in the main guide.
@@ -44,7 +44,7 @@ return [
                         CsrfTokenMiddleware::class, // <- Remove this line                        
 ```
 
-Now, if you need to leave CSRF on for specific routes or route groups, you can do so by adding the `CsrfMiddleware` 
+Now, if you need to leave CSRF on for specific routes or route groups, you can do so by adding the `CsrfTokenMiddleware` 
 middleware to the router configuration in `config/common/routes.php`. For a group that would be the following:
 
 ```php

diff --git a/src/guide/runtime/sessions.md b/src/guide/runtime/sessions.md
@@ -46,7 +46,7 @@ return [
                     ->withMiddlewares(
                         [
                             Router::class,
-                            CsrfMiddleware::class,
+                            CsrfTokenMiddleware::class,
                             SessionMiddleware::class, // <-- add this
                             ErrorCatcher::class,
                         ]

diff --git a/src/guide/security/best-practices.md b/src/guide/security/best-practices.md
@@ -150,8 +150,10 @@ To avoid CSRF, you should always:
    See [RFC2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) for more details.
 2. Keep Yii CSRF protection enabled.
 
-Yii has CSRF protection as `Yiisoft\Yii\Web\Middleware\Csrf` middleware.
-Make sure it's in your application middleware stack.
+Yii has CSRF protection via `Yiisoft\Csrf\CsrfTokenMiddleware` from the [`yiisoft/csrf`](https://github.com/yiisoft/csrf) package.
+Make sure it's in your application middleware stack. For AJAX/SPA backends that use cookie-based authentication,
+the same package provides `Yiisoft\Csrf\CsrfHeaderMiddleware` — an alternative approach that relies on custom request 
+headers and the CORS preflight mechanism instead of token-in-form.
 
 Further reading on the topic:
 

diff --git a/src/guide/structure/middleware.md b/src/guide/structure/middleware.md
@@ -95,7 +95,7 @@ return [
                             ErrorCatcher::class,
                             BasicAuthentication::class,
                             SessionMiddleware::class,
-                            CsrfMiddleware::class,
+                            CsrfTokenMiddleware::class,
                             Router::class,
                         ]
                     );