Added content from suggestions

christianlupus · christianlupus · commit 179d7743572e · 2025-09-26T20:52:10.000+02:00
Signed-off-by: Christian Wolf &lt;github@christianwolf.email&gt;
diff --git a/developer_manual/basics/controllers.rst b/developer_manual/basics/controllers.rst
@@ -439,7 +439,9 @@ developers can implement their own types of menu renderings by adding a custom
 class implementing the ``OCP\\AppFramework\\Http\\Template\\IMenuAction`` interface.
 
 As the public template is also some HTML template, the same argumentation as for :ref:`regular templates<controller_template>` regarding the CSRF checks hold true:
-The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable and is actually needed to visit the page without an active account.
+The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable for some pages:
+Each page that the user should be able to directly access (by typing/pastig the URL in the browser or clicking on a link in a mail) should have this attribute set.
+For multi-page forms in the second and later stages, this should **not** be set as the user should follow the series of pages.
 
 Data-based responses
 --------------------
diff --git a/developer_manual/digging_deeper/rest_apis.rst b/developer_manual/digging_deeper/rest_apis.rst
@@ -117,7 +117,7 @@ There are different ways a clients might interact with your APIs.
 These ways depend on your API configuration (what you allow) and on which route the request is finally made.
 
 - *Access from web frontend* means the user is accessing the Nextcloud web frontend with a web browser.
-- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.```
+- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.
 - *Access from external website* means that the user browses some third party web site and data from your Nextcloud server appears.
   The other website has to embed/load/use images, JSON data, or other resources from a URL pointing to the Nextcloud server, to be able to do this.
 
diff --git a/developer_manual/prologue/security.rst b/developer_manual/prologue/security.rst
@@ -233,7 +233,7 @@ If you are using the App Framework, every controller method is automatically che
 
 Additionally, it is advised to carefully select the HTTP method used for requests.
 Requests of type ``GET`` should not alter data but just read existing data.
-As long as no other attack is involved, any non-``GET`` request requires at least user interaction (transmitting a form).
+This way, at least no typed (or copied) URL might alter data (e.g. clicking a link from a spam mail message by accident).
 
 Unvalidated redirects
 ---------------------
