Potential fix for pull request finding

ErykKul · Copilot · web-flow · commit 8dd3b114eb3c · 2026-03-18T17:07:41.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/doc/release-notes/12178-session-cookie-api-hardening.md b/doc/release-notes/12178-session-cookie-api-hardening.md
@@ -5,7 +5,7 @@ When hardening is enabled, every API request authenticated via session cookie mu
 - A valid same-origin `Origin` or `Referer` header.
 - The `X-Dataverse-CSRF-Token` header matching the token from `GET /api/users/:csrf-token`.
 
-This applies uniformly to all HTTP methods and all API paths, with no exceptions. Clients not on the same origin should use bearer-token authentication instead.
+This applies uniformly to all HTTP methods and all API paths, except for the CSRF bootstrap endpoint (`GET /api/users/:csrf-token`), which is intentionally callable without an existing `X-Dataverse-CSRF-Token` header so clients can obtain the initial token. All subsequent session-cookie-authenticated requests must include the header. Clients not on the same origin should use bearer-token authentication instead.
 
 Additional changes:
 
