Imported from Linear: TYS-165
Source: docs/developers/START_HERE.md → ## Common Pitfalls
Session-authenticated write requests require CSRF protection, and the frontend currently handles this in frontend/src/api/client.js.
Goal:
- Prevent regressions where new clients or refactors omit CSRF handling.
- Make the expected request flow explicit for contributors touching auth or API clients.
Acceptance ideas:
- Developer docs explain when CSRF is required and where it is handled.
- There is a clear verification path for write requests from the frontend.
Imported from Linear: TYS-165
Source:
docs/developers/START_HERE.md→## Common PitfallsSession-authenticated write requests require CSRF protection, and the frontend currently handles this in
frontend/src/api/client.js.Goal:
Acceptance ideas: