diff --git a/csrf.md b/csrf.md
index caf29e42bcb..ed962522e4c 100644
--- a/csrf.md
+++ b/csrf.md
@@ -23,7 +23,7 @@ The `VerifyCsrfToken` [middleware](/docs/{{version}}/middleware), which is inclu
#### CSRF Tokens & JavaScript
-When building JavaScript driven applications, it is convenient to have your JavaScript HTTP library automatically attach the CSRF token to every outgoing request. By default, the `resources/js/bootstrap.js` file registers the value of the `csrf-token` meta tag with the Axios HTTP library. If you are not using this library, you will need to manually configure this behavior for your application.
+When building JavaScript driven applications, it is convenient to have your JavaScript HTTP library automatically attach the CSRF token to every outgoing request. By default, the Axios HTTP library provided in the `resources/js/bootstrap.js` file automatically sends an `X-XSRF-TOKEN` header using the value of the encrypted `XSRF-TOKEN` cookie. If you are not using this library, you will need to manually configure this behavior for your application.
## Excluding URIs From CSRF Protection
@@ -69,11 +69,11 @@ Then, once you have created the `meta` tag, you can instruct a library like jQue
}
});
-> {tip} By default, the `resources/js/bootstrap.js` file registers the value of the `csrf-token` meta tag with the Axios HTTP library. If you are not using this library, you will need to manually configure this behavior for your application.
-
## X-XSRF-TOKEN
-Laravel stores the current CSRF token in a `XSRF-TOKEN` cookie that is included with each response generated by the framework. You can use the cookie value to set the `X-XSRF-TOKEN` request header.
+Laravel stores the current CSRF token in an encrypted `XSRF-TOKEN` cookie that is included with each response generated by the framework. You can use the cookie value to set the `X-XSRF-TOKEN` request header.
+
+This cookie is primarily sent as a convenience since some JavaScript frameworks and libraries, like Angular and Axios, automatically place its value in the `X-XSRF-TOKEN` header on same-origin requests.
-This cookie is primarily sent as a convenience since some JavaScript frameworks and libraries, like Angular and Axios, automatically place its value in the `X-XSRF-TOKEN` header.
+> {tip} By default, the `resources/js/bootstrap.js` file includes the Axios HTTP library which will automatically send this for you.
diff --git a/passport.md b/passport.md
index 0f6eb336583..abeac76a97e 100644
--- a/passport.md
+++ b/passport.md
@@ -893,15 +893,9 @@ If needed, you can customize the `laravel_token` cookie's name using the `Passpo
#### CSRF Protection
-When using this method of authentication, the default Laravel JavaScript scaffolding instructs Axios to always send the `X-CSRF-TOKEN` and `X-Requested-With` headers. However, you should be sure to include your CSRF token in a [HTML meta tag](/docs/{{version}}/csrf#csrf-x-csrf-token):
+When using this method of authentication, you will need to ensure a valid CSRF token header is included in your requests. The default Laravel JavaScript scaffolding includes an Axios instance, which by default will automatically use the encrypted `XSRF-TOKEN` cookie value to send a `X-XSRF-TOKEN` header on same-origin requests.
- // In your application layout...
-
-
- // Laravel's JavaScript scaffolding...
- window.axios.defaults.headers.common = {
- 'X-Requested-With': 'XMLHttpRequest',
- };
+> {tip} If you choose to send the `X-CSRF-TOKEN` header instead of `X-XSRF-TOKEN`, you will need to use the unencrypted token provided by `csrf_token()`.
## Events