[docs] feat(csrf): add breaking change for csrf (#287)

docs/deployment/breaking-changes.md

@@ -14,6 +14,7 @@ implemented.
 | [OpenCTI / OpenAEV compatibility](#octi-oaev-compatibility) | -             | 2.2.0      |
 | [OpenAEV encryption of secret](#openaev-encryption)         | -             | 2.1.0      |
 | [OpenAEV renaming](#openaev-renaming)                       | 1.18.20       | 2.0.0      |
+| [OpenAEV CSRF](#openaev-csrf)                               | -             | 2.3.4      |
 
 ## OpenAEV 2.2.0
 
@@ -72,4 +73,17 @@ automated.
 Take note that the first startup can be longer, all modifications have to be applied, and it can take a bit longer than
 usual.
 
-For more details, see [this migration guide](breaking-changes/2.0.0-openaev-renaming.md)
+For more details, see [this migration guide](breaking-changes/2.0.0-openaev-renaming.md)
+
+## OpenAEV 2.3.4
+
+### Introduction
+
+<a id="openaev-csrf"></a>
+
+#### OpenAEV CSRF protection for frontend API calls
+
+Starting with **OpenAEV 2.3.4**, frontend-initiated API calls must include a valid CSRF token.  
+To prevent API authentication and connection issues, make sure all ecosystem components are upgraded to versions compatible with OpenAEV 2.3.4.
+
+For more details, see [this migration guide](breaking-changes/2.3.4-csrf-token-enforcement.md)

docs/deployment/breaking-changes/2.3.4-csrf-token-enforcement.md

@@ -0,0 +1,46 @@
+# CSRF token enforcement for frontend API calls
+
+!!! info ""
+
+    * **Introduced in**: `OpenAEV 2.3.4`
+
+## Description of changes
+
+Starting with **OpenAEV 2.3.4**, API calls initiated from the **OpenAEV frontend** must include a valid **CSRF token**.
+
+This security change protects authenticated sessions against cross-site request forgery and affects request flows between the UI and backend APIs.
+
+Components that interact with OpenAEV APIs through authenticated web sessions must support this CSRF mechanism.
+
+## Impact
+
+If some platform components are upgraded while others remain on older versions, API calls can fail during authentication or state-changing requests.
+
+Typical symptoms include:
+
+- `401 Unauthorized` responses
+- `403 Forbidden` responses (missing or invalid CSRF token)
+- Connector failures when creating, updating, or triggering operations through the OpenAEV API
+
+## Migration guide
+
+To avoid service disruption, upgrade all OpenAEV ecosystem components together to versions compatible with **OpenAEV 2.3.4**.
+
+This includes, at minimum:
+
+- Injectors
+- Collectors
+- Agents
+- Connectors
+- Any custom integration using authenticated frontend/API flows
+
+!!! warning
+
+    Do not run mixed versions in production (for example: OpenAEV `2.3.4` with older injectors or collectors). Upgrade all components in the same maintenance window.
+
+## Validation checklist after upgrade
+
+1. Log in to the OpenAEV UI and trigger a standard action (for example, launch an inject or collect data).
+2. Confirm the action succeeds without authentication errors.
+3. Check platform and connector logs for `401`/`403` responses.
+4. Verify that no component reports API connection failures.