ring anti-forgery is enabled by default, but that is not mentioned in docs

[sventech]

As you helped me understand in the issue on ring anti-forgery, a normal punter will try to use wrap-defaults with site-defaults and then add wrap-anti-forgery, not realising that it is redundant.

How could we best add docs to indicate how to handle CSRF / XSRF validation? I guess you're suggesting a complete map of default options?

[weavejester]

Yep, we'll just have a section to document each of the *-defaults option maps.