Update docs/src/main/asciidoc/security-cors.adoc

sithmein · sberyozkin · web-flow · commit f1279a79be61 · 2025-12-06T17:18:40.000+01:00
Co-authored-by: Sergey Beryozkin &lt;sberyozkin@gmail.com&gt;
diff --git a/docs/src/main/asciidoc/security-cors.adoc b/docs/src/main/asciidoc/security-cors.adoc
@@ -37,7 +37,9 @@ For regular CORS requests, the filter denies access with an HTTP 403 status if t
 [NOTE]
 ====
 Despite its name the CORS filter may also prevent CSRF attacks based on link:https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#using-standard-headers-to-verify-origin[Origin verification].
-Therefore, since `Origin` headers are set by the browser, you may want to consider using it instead of the xref:security-csrf-prevention.adoc[REST CSRF filter].
+Therefore, since an [Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin) header is expected to be set by the browser for cross-origin JavaScript and HTML form requests, you may want to consider using it instead of the xref:security-csrf-prevention.adoc[REST CSRF filter].
+
+You must confirm that the browser does set an `Origin` header for cross-origin requests when accessing your application, especially with HTML forms, before using the CORS filter to prevent CSRF  with the link:https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#using-standard-headers-to-verify-origin[Origin verification].
 ====
 
 For detailed configuration options, see the following Configuration Properties section.
