update readme

README.md

@@ -274,6 +274,7 @@ return [
 The use of a custom request header for CSRF protection is based on the CORS Protocol. Thus, you **must** configure the CORS module to allow or deny cross-origin access to the backend API.
 
 >**Warning**  
+>
 >`CsrfHeaderMiddleware` can be used to prevent forgery of same-origin requests and requests from the list of specific origins only.
 
 

src/CsrfHeaderMiddleware.php

@@ -67,6 +67,10 @@ public function withHeaderName(string $name): self
         return $new;
     }
 
+    /**
+     * @param array $methods "unsafe" methods not triggered a CORS-preflight request
+     * @link https://fetch.spec.whatwg.org/#http-cors-protocol
+     */
     public function withUnsafeMethods(array $methods): self
     {
         $new = clone $this;

src/CsrfMiddleware.php

@@ -80,6 +80,10 @@ public function withHeaderName(string $name): self
         return $new;
     }
 
+    /**
+     * @param array $methods "safe" methods skipped on CSRF token validation
+     * @link https://datatracker.ietf.org/doc/html/rfc9110#name-safe-methods
+     */
     public function withSafeMethods(array $methods): self
     {
         $new = clone $this;

src/CsrfTokenMiddleware.php

@@ -79,6 +79,10 @@ public function withHeaderName(string $name): self
         return $new;
     }
 
+    /**
+     * @param array $methods "safe" methods skipped on CSRF token validation
+     * @link https://datatracker.ietf.org/doc/html/rfc9110#name-safe-methods
+     */
     public function withSafeMethods(array $methods): self
     {
         $new = clone $this;