From c84977e1bf3ca33fd80c47a08210a84810dbd9cb Mon Sep 17 00:00:00 2001
From: Roger Yang <roger.yang@arize.com>
Date: Wed, 9 Oct 2024 10:23:06 -0700
Subject: [PATCH] clarify docstring

---
 src/phoenix/config.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/phoenix/config.py b/src/phoenix/config.py
index 03957ee996..7000dee779 100644
--- a/src/phoenix/config.py
+++ b/src/phoenix/config.py
@@ -109,8 +109,11 @@
 """
 ENV_PHOENIX_CSRF_TRUSTED_ORIGINS = "PHOENIX_CSRF_TRUSTED_ORIGINS"
 """
-A comma-separated list of origins that are allowed to bypass Cross-Site Request Forgery (CSRF)
-protection. This is recommended when setting up OAuth2 clients or sending password reset emails.
+A comma-separated list of origins allowed to bypass Cross-Site Request Forgery (CSRF)
+protection. This setting is recommended when configuring OAuth2 clients or sending
+password reset emails. If this variable is left unspecified or contains no origins, CSRF
+protection will not be enabled. In such cases, when a request includes `origin` or `referer`
+headers, those values will not be validated.
 """
 
 # SMTP settings