From eeaa4db60a2fd7fdb7daa7bcfb1fe73446e6e200 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 2 Nov 2021 15:37:45 +0900
Subject: [PATCH] docs: move CSRF Protection Methods section up

This is a basic config item, so it is better to have it at the beginning.
---
 user_guide_src/source/libraries/security.rst | 31 ++++++++++----------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 48b97baf1f61..a7ee6e141f78 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -26,6 +26,21 @@ Cross-site request forgery (CSRF)
 .. warning:: The CSRF Protection is only available for **POST/PUT/PATCH/DELETE** requests.
     Requests for other methods are not protected.
 
+CSRF Protection Methods
+=======================
+
+By default, the Cookie based CSRF Protection is used. It is
+`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
+on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
+
+You can also use Session based CSRF Protection. It is
+`Synchronizer Token Pattern <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern>`_.
+
+You can set to use the Session based CSRF protection by editing the following config parameter value in
+**app/Config/Security.php**::
+
+    public $csrfProtection = 'session';
+
 Enable CSRF Protection
 ======================
 
@@ -130,22 +145,6 @@ than simply crashing. This can be turned off by editing the following config par
 
 Even when the redirect value is ``true``, AJAX calls will not redirect, but will throw an error.
 
-=======================
-CSRF Protection Methods
-=======================
-
-By default, the Cookie based CSRF Protection is used. It is
-`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
-on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
-
-You can also use Session based CSRF Protection. It is
-`Synchronizer Token Pattern <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern>`_.
-
-You can set to use the Session based CSRF protection by editing the following config parameter value in
-**app/Config/Security.php**::
-
-    public $csrfProtection = 'session';
-
 *********************
 Other Helpful Methods
 *********************