docs: add CSRF warning for session cookie API authentication feature

ErykKul · ErykKul · commit 4215552826bd · 2026-03-18T16:28:24.000+01:00
diff --git a/doc/sphinx-guides/source/installation/config.rst b/doc/sphinx-guides/source/installation/config.rst
@@ -3935,6 +3935,12 @@ dataverse.feature.api-session-auth
 ++++++++++++++++++++++++++++++++++
 
 Enables API authentication via session cookie (JSESSIONID). This is needed for some JSF/SAML-oriented integrations where bearer tokens are not used.
+
+.. warning::
+
+   Enabling this flag without also enabling :ref:`dataverse.feature.api-session-auth-hardening` exposes the installation to CSRF risks.
+   Always enable both flags together in production.
+
 By itself, this feature flag does not enable CSRF protections. For stricter protections, also enable :ref:`dataverse.feature.api-session-auth-hardening`.
 
 .. _dataverse.feature.api-session-auth-hardening:
diff --git a/src/main/java/edu/harvard/iq/dataverse/settings/FeatureFlags.java b/src/main/java/edu/harvard/iq/dataverse/settings/FeatureFlags.java
@@ -27,6 +27,8 @@ public enum FeatureFlags {
     /**
      * Enables API authentication via session cookie (JSESSIONID).
      * Needed for JSF/SAML-oriented integrations where bearer tokens are not used.
+     * <p><b>Caution:</b> Enabling this flag without also enabling
+     * {@link #API_SESSION_AUTH_HARDENING} exposes the installation to CSRF risks.</p>
      * By itself this flag does not enable CSRF protections; for stricter protections,
      * also enable {@link #API_SESSION_AUTH_HARDENING}.
      *
@@ -41,7 +43,7 @@ public enum FeatureFlags {
      * This feature only works when the feature flag {@link #API_SESSION_AUTH} is also enabled.
      *
      * @apiNote Raise flag by setting "dataverse.feature.api-session-auth-hardening"
-     * @since Dataverse 6.9
+     * @since Dataverse 6.10
      */
     API_SESSION_AUTH_HARDENING("api-session-auth-hardening"),
     /**
