[Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components][components-ref] and not [Account Portal][ap-ref] pages.
+ Optional object to style your components. Will only affect [Clerk components][components-ref] and not [Account Portal][ap-ref] pages.
---
@@ -148,7 +148,7 @@ The `[Localization](/docs/customization/localization) | undefined
- Optional object to localize your components. Will only affect [Clerk Components][components-ref] and not [Account Portal][ap-ref] pages.
+ Optional object to localize your components. Will only affect [Clerk components][components-ref] and not [Account Portal][ap-ref] pages.
---
@@ -218,7 +218,7 @@ The `\
-description: The `Hello! You are Signed In!
- You are signed in
+ [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
+ Optional object to style your components. Will only affect [Clerk components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
---
diff --git a/docs/components/organization/organization-list.mdx b/docs/components/organization/organization-list.mdx
index d97d133011..1b14765ec9 100644
--- a/docs/components/organization/organization-list.mdx
+++ b/docs/components/organization/organization-list.mdx
@@ -29,7 +29,7 @@ All props are optional.
- `appearance`
- [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
+ Optional object to style your components. Will only affect [Clerk components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
---
diff --git a/docs/components/organization/organization-profile.mdx b/docs/components/organization/organization-profile.mdx
index 93e0731b7d..615d0a635d 100644
--- a/docs/components/organization/organization-profile.mdx
+++ b/docs/components/organization/organization-profile.mdx
@@ -19,7 +19,7 @@ All props are optional.
- `appearance`
- [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
+ Optional object to style your components. Will only affect [Clerk components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
---
diff --git a/docs/components/organization/organization-switcher.mdx b/docs/components/organization/organization-switcher.mdx
index f7e6a378ee..60c3a5e494 100644
--- a/docs/components/organization/organization-switcher.mdx
+++ b/docs/components/organization/organization-switcher.mdx
@@ -26,7 +26,7 @@ All props below are optional.
- `appearance`
- [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
+ Optional object to style your components. Will only affect [Clerk components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
---
diff --git a/docs/components/user/user-button.mdx b/docs/components/user/user-button.mdx
index 76029970cb..b9730e6479 100644
--- a/docs/components/user/user-button.mdx
+++ b/docs/components/user/user-button.mdx
@@ -38,7 +38,7 @@ All props are optional.
- `appearance`
- [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
+ Optional object to style your components. Will only affect [Clerk components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
---
diff --git a/docs/components/user/user-profile.mdx b/docs/components/user/user-profile.mdx
index 4c72998229..2465d2c3e0 100644
--- a/docs/components/user/user-profile.mdx
+++ b/docs/components/user/user-profile.mdx
@@ -15,7 +15,7 @@ All props are optional.
- `appearance`
- [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
+ Optional object to style your components. Will only affect [Clerk components](/docs/components/overview) and not [Account Portal](/docs/customization/account-portal/overview) pages.
---
diff --git a/docs/custom-flows/email-links.mdx b/docs/custom-flows/email-links.mdx
index a11f5989fb..d91fc06fd0 100644
--- a/docs/custom-flows/email-links.mdx
+++ b/docs/custom-flows/email-links.mdx
@@ -46,7 +46,7 @@ Email link authentication can be configured through the Clerk Dashboard. Go to *
Don't forget that you also need to make sure you've configured your application instance to request the user's email address. Users can receive email links only via email messages. Make sure you toggle on **Email address** under the **Contact information** section.
-If you click on the **Settings cog** icon next to **Email address**, the email address configuration screen will pop open. You can toggle on **Require** if you want to make sure that all users have an email address associated with their profile.
+If you click on the **Settings** icon next to **Email address**, the email address configuration screen will pop open. You can toggle on **Require** if you want to make sure that all users have an email address associated with their profile.
You can also find the **Verification methods** section on this screen. Here, you can toggle on **Email verification link** if you would like to allow your users to verify their email with an email link. You can also toggle on **Email verification code** if you would like to allow your users to verify their email with a one-time passcode.
diff --git a/docs/custom-flows/email-password-mfa.mdx b/docs/custom-flows/email-password-mfa.mdx
index 45098ff0f4..4f39e11a68 100644
--- a/docs/custom-flows/email-password-mfa.mdx
+++ b/docs/custom-flows/email-password-mfa.mdx
@@ -21,7 +21,7 @@ This guide will walk you through how to build a custom email/password sign-in fl
1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username).
1. In the navigation sidebar, select **User & Authentication > Email, Phone, and Username**.
- 1. Ensure that _only_ **Email address** is required. If **Phone number** and **Username** are enabled, ensure they are not required. Use the settings cog icon next to each user attribute to check if a setting is required or optional. If you want to require **Username**, you must collect the username and pass the data to the `create()` method in your custom flow.
+ 1. Ensure that _only_ **Email address** is required. If **Phone number** and **Username** are enabled, ensure they are not required. Use the settings icon next to each user attribute to check if a setting is required or optional. If you want to require **Username**, you must collect the username and pass the data to the `create()` method in your custom flow.
1. In the **Authentication strategies** section of this page, ensure **Password** is enabled.
### Enable multi-factor authentication
diff --git a/docs/custom-flows/email-password.mdx b/docs/custom-flows/email-password.mdx
index 4335384979..1961b21aa3 100644
--- a/docs/custom-flows/email-password.mdx
+++ b/docs/custom-flows/email-password.mdx
@@ -17,7 +17,7 @@ This guide will walk you through how to build a custom email/password sign-up an
1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username).
1. In the navigation sidebar, select **User & Authentication > Email, Phone, and Username**.
- 1. Ensure that _only_ **Email address** is required. If **Phone number** and **Username** are enabled, ensure they are not required. Use the settings cog icon next to each option to verify if a setting is required or optional. If you would like to require **Username**, you must collect the username and pass it to the `create()` method in your custom flow.
+ 1. Ensure that _only_ **Email address** is required. If **Phone number** and **Username** are enabled, ensure they are not required. Use the settings icon next to each option to verify if a setting is required or optional. If you would like to require **Username**, you must collect the username and pass it to the `create()` method in your custom flow.
1. In the **Authentication strategies** section of this page, ensure **Password** is enabled.
> [!NOTE]
diff --git a/docs/custom-flows/email-sms-otp.mdx b/docs/custom-flows/email-sms-otp.mdx
index d9b2e47306..6d0f453e87 100644
--- a/docs/custom-flows/email-sms-otp.mdx
+++ b/docs/custom-flows/email-sms-otp.mdx
@@ -19,7 +19,7 @@ This guide will walk you through how to build a custom SMS OTP sign-up and sign-
1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username).
1. In the navigation sidebar, go to **User & Authentication > Email, Phone, Username**.
- 1. Ensure that _only_ **Phone number** is required. If **Email address** or **Username** are enabled, ensure they are not required. Use the settings cog icon to check if a setting is required or optional. If you would like to require **Username**, you must collect the username and pass it to the `create()` method in your custom flow. For this guide, if you would like to use email OTP instead, require the **Email address** option instead of the **Phone number** option.
+ 1. Ensure that _only_ **Phone number** is required. If **Email address** or **Username** are enabled, ensure they are not required. Use the settings icon to check if a setting is required or optional. If you would like to require **Username**, you must collect the username and pass it to the `create()` method in your custom flow. For this guide, if you would like to use email OTP instead, require the **Email address** option instead of the **Phone number** option.
1. In the **Authentication strategies** section of this page, ensure **SMS verification code** is enabled. Ensure **Password** is toggled off, as you are prioritizing passwordless, SMS OTP-only authentication in this guide. If you would like to use email OTP instead, enable the **Email verification code** strategy instead of the **SMS verification code** strategy.
### Sign-up flow
diff --git a/docs/customization/localization.mdx b/docs/customization/localization.mdx
index ceae51cc36..690a6e85a2 100644
--- a/docs/customization/localization.mdx
+++ b/docs/customization/localization.mdx
@@ -1,16 +1,16 @@
---
title: Localization prop (experimental)
-description: Use the Clerk localizations package to override and provide predefined or custom localizations for your Clerk Components, enabling you to offer localized content or tailor the wording to match your brand.
+description: Use the Clerk localizations package to override and provide predefined or custom localizations for your Clerk components, enabling you to offer localized content or tailor the wording to match your brand.
---
> [!WARNING]
> This feature is currently experimental and may not behave as expected. If you encounter any issues, please reach out to [support](/contact/support){{ target: '_blank' }} with as much detail as possible.
-Clerk offers the ability to override the strings for all of the elements in each of the Clerk Components. This allows you to provide localization for your users or change the wording to suit your brand.
+Clerk offers the ability to override the strings for all of the elements in each of the Clerk components. This allows you to provide localization for your users or change the wording to suit your brand.
## `@clerk/localizations`
-The `@clerk/localizations` package contains predefined localizations for the Clerk Components.
+The `@clerk/localizations` package contains predefined localizations for the Clerk components.
### Languages
@@ -256,7 +256,7 @@ Our localizations are customer-sourced and we encourage customers to add or upda
## Custom localizations
-You can also provide your own localizations for the Clerk Components. This is useful if you want to provide limited or quick localization for a language that Clerk doesn't currently support or if you want to change the wording to suit your brand.
+You can also provide your own localizations for the Clerk components. This is useful if you want to provide limited or quick localization for a language that Clerk doesn't currently support or if you want to change the wording to suit your brand.
### Usage
diff --git a/docs/guides/transferring-your-app.mdx b/docs/guides/transferring-your-app.mdx
index 80fd903c96..d754fe58ad 100644
--- a/docs/guides/transferring-your-app.mdx
+++ b/docs/guides/transferring-your-app.mdx
@@ -18,7 +18,7 @@ To set up a payment method without being charged:
> This guide offers a temporary solution for this issue. Clerk is actively working to improve this process.
1. Switch to the receiving organization and open the organization switcher at the top-left of the Dashboard.
-1. Select the cog icon (⚙) to manage your organization.
+1. Select the settings icon to manage your organization.
1. In the sidebar, select **Billing**, then select **Upgrade to unlimited members**.
1. Add your billing information. **You will not be charged immediately**. Doing this just ensures billing information is added to the organization.
1. Once that billing information is added, you will be able to transfer your Clerk app to the receiving organization.
diff --git a/docs/integrations/webhooks/inngest.mdx b/docs/integrations/webhooks/inngest.mdx
index 0cc98d3293..9331aa6879 100644
--- a/docs/integrations/webhooks/inngest.mdx
+++ b/docs/integrations/webhooks/inngest.mdx
@@ -3,7 +3,7 @@ title: Handling webhooks with Inngest
description: Learn how to integrate Clerk with Inngest.
---
-Webhooks allow you to [synchronize data](/docs/integrations/webhooks/sync-data) from Clerk to your application backend. You can either handle them directly in your backend with an endpoint or use a tool like [Inngest](https://inngest.com/) which receives the webhook events for you and reliably executes functions in your codebase. When handling webhooks, Inngest receives the [webhook events](/docs/integrations/webhooks/overview#supported-webhook-events) for you and uses a built-in queue to reliably execute longer running functions with additional functionality including:
+Webhooks allow you to [synchronize data](/docs/integrations/webhooks/sync-data) from Clerk to your application backend. You can either handle them directly in your backend with an endpoint or use a tool like [Inngest](https://www.inngest.com) which receives the webhook events for you and reliably executes functions in your codebase. When handling webhooks, Inngest receives the [webhook events](/docs/integrations/webhooks/overview#supported-webhook-events) for you and uses a built-in queue to reliably execute longer running functions with additional functionality including:
- [Limiting concurrency](https://www.inngest.com/docs/guides/concurrency) to handle spikes in events without overwhelming your API or database.
- Triggering multiple functions from a single event ([fan-out jobs](https://www.inngest.com/docs/guides/fan-out-jobs)).
diff --git a/docs/manifest.json b/docs/manifest.json
index 3bfd5ec86a..530e3bb61f 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -951,7 +951,23 @@
[
{
"title": "Playwright",
- "href": "/docs/testing/playwright"
+ "collapse": true,
+ "items": [
+ [
+ {
+ "title": "Overview",
+ "href": "/docs/testing/playwright/overview"
+ },
+ {
+ "title": "Test helpers",
+ "href": "/docs/testing/playwright/test-helpers"
+ },
+ {
+ "title": "Test authenticated flows",
+ "href": "/docs/testing/playwright/test-authenticated-flows"
+ }
+ ]
+ ]
},
{ "title": "Cypress", "href": "/docs/testing/cypress" },
{
diff --git a/docs/organizations/organization-workspaces.mdx b/docs/organizations/organization-workspaces.mdx
index 3894f2cd75..2bea196637 100644
--- a/docs/organizations/organization-workspaces.mdx
+++ b/docs/organizations/organization-workspaces.mdx
@@ -20,7 +20,7 @@ This guide will walk you through how to use the Clerk Dashboard to create an org
## Invite collaborators to your organization workspace
1. Navigate to the [Clerk Dashboard](https://clerk.com/dashboard).
-1. In the top left navigation, select the organization workspace and select the settings cog icon. A modal will appear with the organization profile.
+1. In the top left navigation, select the organization workspace and select the settings icon. A modal will appear with the organization profile.
1. Select the **Members** tab and select the **Invite** button.
1. Enter the email address of the collaborator you wish to invite and select the role you wish to assign to the collaborator. If inviting multiple collaborators at a time, ensure email addresses are separated by spaces or commas.
1. Select **Send invitations**.
diff --git a/docs/organizations/overview.mdx b/docs/organizations/overview.mdx
index f6fbb69e7e..62799b73a4 100644
--- a/docs/organizations/overview.mdx
+++ b/docs/organizations/overview.mdx
@@ -148,7 +148,7 @@ To configure your application's **Email address** settings:
1. Navigate to the [Clerk Dashboard](https://dashboard.clerk.com/last-active?path=user-authentication/email-phone-username).
1. In the navigation sidebar, select **User & Authentication > Email, Phone, Username**.
1. In the **Contact information** section, ensure that **Email address** is toggled on.
-1. Next to **Email address**, select the settings cog icon to configure the email address settings. Here, at least **Require** should be toggled on.
+1. Next to **Email address**, select the settings icon to configure the email address settings. Here, at least **Require** should be toggled on.
## Organization management
diff --git a/docs/organizations/roles-permissions.mdx b/docs/organizations/roles-permissions.mdx
index 5725b02a3d..bd840396ef 100644
--- a/docs/organizations/roles-permissions.mdx
+++ b/docs/organizations/roles-permissions.mdx
@@ -47,7 +47,7 @@ Permissions grant users privileged access to resources and operations, like crea
### System Permissions
-Clerk has a set of System Permissions that power [Clerk’s Frontend API](/docs/reference/frontend-api){{ target: '_blank' }} and [organization-related Clerk Components](/docs/components/overview#organization-components). They are a baseline set of permissions that Clerk needs to operate functionally.
+Clerk has a set of System Permissions that power [Clerk’s Frontend API](/docs/reference/frontend-api){{ target: '_blank' }} and [organization-related Clerk components](/docs/components/overview#organization-components). They are a baseline set of permissions that Clerk needs to operate functionally.
Clerk’s System Permissions consist of the following:
diff --git a/docs/quickstarts/express.mdx b/docs/quickstarts/express.mdx
index bc0743b576..f645a7a5e6 100644
--- a/docs/quickstarts/express.mdx
+++ b/docs/quickstarts/express.mdx
@@ -120,7 +120,7 @@ Learn how to integrate Clerk into your Express backend for secure user authentic
const app = express()
- app.get('/protected', requireAuth({ signInUrl: '/sign-in' }), (req, res) => {
+ app.get('/protected', requireAuth({ signInUrl: '/sign-in' }), async (req, res) => {
const { userId } = req.auth
const user = await clerkClient.users.getUser(userId)
return res.json({ user })
diff --git a/docs/references/javascript/clerk/clerk.mdx b/docs/references/javascript/clerk/clerk.mdx
index 4f727ba3dc..9dceaa0102 100644
--- a/docs/references/javascript/clerk/clerk.mdx
+++ b/docs/references/javascript/clerk/clerk.mdx
@@ -303,14 +303,14 @@ All props below are optional.
- `appearance`
- [Appearance](/docs/customization/overview) | undefined
- Optional object to style your components. Will only affect [Clerk Components][components-ref] and not [Account Portal][ap-ref] pages.
+ Optional object to style your components. Will only affect [Clerk components][components-ref] and not [Account Portal][ap-ref] pages.
---
- `localization`
- [Localization](/docs/customization/localization) | undefined
- Optional object to localize your components. Will only affect [Clerk Components][components-ref] and not [Account Portal][ap-ref] pages.
+ Optional object to localize your components. Will only affect [Clerk components][components-ref] and not [Account Portal][ap-ref] pages.
---
diff --git a/docs/references/nextjs/clerk-middleware.mdx b/docs/references/nextjs/clerk-middleware.mdx
index d3d09155f6..062b45faef 100644
--- a/docs/references/nextjs/clerk-middleware.mdx
+++ b/docs/references/nextjs/clerk-middleware.mdx
@@ -276,7 +276,7 @@ const isProtectedRoute = createRouteMatcher(['dashboard/(.*)'])
export default clerkMiddleware((auth, req) => {
if (isProtectedRoute(req)) auth().protect()
- intlMiddleware(req)
+ return intlMiddleware(req)
})
export const config = {
diff --git a/docs/references/nextjs/current-user.mdx b/docs/references/nextjs/current-user.mdx
index e0473559c0..4ba55fa768 100644
--- a/docs/references/nextjs/current-user.mdx
+++ b/docs/references/nextjs/current-user.mdx
@@ -8,7 +8,7 @@ The `currentUser` helper returns the [`Backend User`](/docs/references/backend/t
Under the hood, this helper:
- calls `fetch()`, so it is automatically deduped per request.
-- uses the `GET /v1/users/me` endpoint.
+- uses the [`GET /v1/users/{user_id}`](https://clerk.com/docs/reference/backend-api/tag/Users#operation/GetUser) endpoint.
- counts towards the [Backend API Request Rate Limit](/docs/backend-requests/resources/rate-limits#rate-limits).
```tsx {{ filename: 'app/page.tsx' }}
diff --git a/docs/references/nextjs/custom-signup-signin-pages.mdx b/docs/references/nextjs/custom-signup-signin-pages.mdx
index 64c4536e71..59931b767b 100644
--- a/docs/references/nextjs/custom-signup-signin-pages.mdx
+++ b/docs/references/nextjs/custom-signup-signin-pages.mdx
@@ -141,6 +141,6 @@ If Clerk's prebuilt components don't meet your specific needs or if you require
---
- - [Clerk Components](/docs/components/overview)
+ - [Clerk components](/docs/components/overview)
- Learn more about Clerk's prebuilt components that make authentication and user management easy.
diff --git a/docs/references/react/overview.mdx b/docs/references/react/overview.mdx
index 2b35b3f1b6..3c89e9ecb4 100644
--- a/docs/references/react/overview.mdx
+++ b/docs/references/react/overview.mdx
@@ -8,7 +8,7 @@ Clerk React is a wrapper around ClerkJS. It is the recommended way to integrate
> [!WARNING]
> If you are using Next.js, please make sure to install `@clerk/nextjs` as `@clerk/clerk-react` is incompatible. See the [Next.js](/docs/references/nextjs/overview) documentation for more information.
-Clerk React provides React.js implementations of [Clerk Components](/docs/components/overview); highly customizable, pre-built components that you can use to build beautiful user management applications. You can find display components for building [sign-in](/docs/components/authentication/sign-in), [sign-up](/docs/components/authentication/sign-up), [account switching](/docs/components/user/user-button), and [user profile management](/docs/components/user/user-profile) pages as well as flow [control components](/docs/components/control/signed-in) that act as helpers for implementing a seamless authentication experience.
+Clerk React provides React.js implementations of [Clerk components](/docs/components/overview); highly customizable, pre-built components that you can use to build beautiful user management applications. You can find display components for building [sign-in](/docs/components/authentication/sign-in), [sign-up](/docs/components/authentication/sign-up), [account switching](/docs/components/user/user-button), and [user profile management](/docs/components/user/user-profile) pages as well as flow [control components](/docs/components/control/signed-in) that act as helpers for implementing a seamless authentication experience.
Clerk React comes loaded with [custom hooks](/docs/references/react/use-user). These hooks give you access to the [Clerk object](/docs/references/javascript/clerk/clerk), and a set of useful helper methods for signing in and signing up.
diff --git a/docs/references/remix/clerk-app.mdx b/docs/references/remix/clerk-app.mdx
index a08c64d165..640f879ada 100644
--- a/docs/references/remix/clerk-app.mdx
+++ b/docs/references/remix/clerk-app.mdx
@@ -66,14 +66,14 @@ export default ClerkApp(App)
- `supportEmail?`
- `string`
- Optional support email for display in authentication screens. Will only affect Clerk Components and not Account Portal pages.
+ Optional support email for display in authentication screens. Will only affect Clerk components and not Account Portal pages.
---
- `localization`
- [Localization](/docs/customization/localization) | undefined
- Optional object to localize your components. Will only affect [Clerk Components][components-ref] and not [Account Portal][ap-ref] pages.
+ Optional object to localize your components. Will only affect [Clerk components][components-ref] and not [Account Portal][ap-ref] pages.
---
diff --git a/docs/security/csrf-protection.mdx b/docs/security/csrf-protection.mdx
index c5ab7e8d3a..29e5a3303f 100644
--- a/docs/security/csrf-protection.mdx
+++ b/docs/security/csrf-protection.mdx
@@ -3,26 +3,35 @@ title: CSRF protection
description: CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf.
---
-CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.
+Cross Site Request Forgery (CSRF) is an attack that deceives a victim into submitting a malicious request. The attack inherits the victim's identity and privileges to perform an undesired action on the their behalf. For most sites, browser requests automatically include credentials associated with the site, such as the user's session cookie, IP address, Windows domain credentials, and more. Therefore, if the user is currently authenticated, the site cannot distinguish between a forged request initiated by the attacker and a legitimate request from the user.
-[The OWASP® Foundation, Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/xss/)
+[The OWASP® Foundation, Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf)
-Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the _SameSite_ flag.
+Most CSRF attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the `SameSite` flag.
-## How does SameSite help prevent CSRF attacks?
+## What does a CSRF attack look like?
+
+Imagine an attacker made a malicious website at `foo.com` that contained the following code:
+
+```html
+