From 00a420d55985ee147496f97cf718caf630d58753 Mon Sep 17 00:00:00 2001
From: "svelte-docs-bot[bot]"
 <196124396+svelte-docs-bot[bot]@users.noreply.github.com>
Date: Sat, 23 Aug 2025 16:55:02 +0000
Subject: [PATCH] sync kit docs

---
 .../content/docs/kit/98-reference/50-configuration.md        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apps/svelte.dev/content/docs/kit/98-reference/50-configuration.md b/apps/svelte.dev/content/docs/kit/98-reference/50-configuration.md
index 1615a5b28f..5a5c7c0bbd 100644
--- a/apps/svelte.dev/content/docs/kit/98-reference/50-configuration.md
+++ b/apps/svelte.dev/content/docs/kit/98-reference/50-configuration.md
@@ -257,6 +257,7 @@ checkOrigin?: boolean;
 <div class="ts-block-property-bullets">
 
 - <span class="tag">default</span> `true`
+- <span class="tag deprecated">deprecated</span> Use `trustedOrigins: ['*']` instead
 
 </div>
 
@@ -281,11 +282,13 @@ trustedOrigins?: string[];
 
 </div>
 
-An array of origins that are allowed to make cross-origin form submissions to your app, even when `checkOrigin` is `true`.
+An array of origins that are allowed to make cross-origin form submissions to your app.
 
 Each origin should be a complete origin including protocol (e.g., `https://payment-gateway.com`).
 This is useful for allowing trusted third-party services like payment gateways or authentication providers to submit forms to your app.
 
+If the array contains `'*'`, all origins will be trusted. This is generally not recommended!
+
 **Warning**: Only add origins you completely trust, as this bypasses CSRF protection for those origins.
 
 </div>