update CSRF docs

docs/guide/security-best-practices.md

@@ -158,18 +158,28 @@ Avoiding CSRF
 -------------
 
 CSRF is an abbreviation for cross-site request forgery. The idea is that many applications assume that requests coming
-from a user browser are made by the user himself. It could be `false`.
+from a user browser are made by the user themselves. This assumption could be false.
 
-For example, `an.example.com` website has `/logout` URL that, when accessed using a simple GET, logs user out. As long
-as it's requested by the user itself everything is OK but one day bad guys are somehow posting
-`<img src="http://an.example.com/logout">` on a forum user visits frequently. Browser doesn't make any difference between
-requesting an image or requesting a page so when user opens a page with such `img` tag, the browser will send the GET request to that URL, and the user will be logged out from `an.example.com`. 
+For example, the website `an.example.com` has a `/logout` URL that, when accessed using a simple GET request, logs the user out. As long
+as it's requested by the user themselves everything is OK, but one day bad guys are somehow posting
+`<img src="http://an.example.com/logout">` on a forum the user visits frequently. The browser doesn't make any difference between
+requesting an image or requesting a page so when the user opens a page with such a manipulated `<img>` tag,
+the browser will send the GET request to that URL and the user will be logged out from `an.example.com`.
 
-That's the basic idea. One can say that logging user out is nothing serious, but bad guys can do much more, using this idea. Imagine that some website has an URL `http://an.example.com/purse/transfer?to=anotherUser&amount=2000`. Accessing it using GET request, causes transfer of $2000 from authorized user account to user `anotherUser`. We know, that browser will always send GET request to load an image, so we can modify code to accept only POST requests on that URL. Unfortunately, this will not save us, because an attacker can put some JavaScript code instead of `<img>` tag, which allows to send POST requests on that URL.
+That's the basic idea of how a CSRF attack works. One can say that logging out a user is not a serious thing,
+however this was just an example, there are much more things one could do using this approach, for example triggering payments
+or changing data. Imagine that some website has an URL
+`http://an.example.com/purse/transfer?to=anotherUser&amount=2000`. Accessing it using GET request, causes transfer of $2000
+from authorized user account to user `anotherUser`. We know, that the browser will always send GET request to load an image,
+so we can modify code to accept only POST requests on that URL. Unfortunately, this will not save us, because an attacker
+can put some JavaScript code instead of `<img>` tag, which allows to send POST requests to that URL as well.
+
+For this reason, Yii applies additional mechanisms to protect against CSRF attacks.
 
 In order to avoid CSRF you should always:
 
 1. Follow HTTP specification i.e. GET should not change application state.
+   See [RFC2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) for more details.
 2. Keep Yii CSRF protection enabled.
 
 Sometimes you need to disable CSRF validation per controller and/or action. It could be achieved by setting its property:
@@ -247,6 +257,7 @@ Further reading on the topic:
 
 - <https://www.owasp.org/index.php/CSRF>
 
+
 Avoiding file exposure
 ----------------------