elastic · KOTungseth · Dec 16, 2019 · Jun 4, 2019 · Dec 4, 2019 · Dec 9, 2019
diff --git a/docs/api/spaces-management/post.asciidoc b/docs/api/spaces-management/post.asciidoc
@@ -16,28 +16,28 @@ experimental["The underlying Spaces concepts are stable, but the APIs for managi
 [[spaces-api-post-request-body]]
 ==== Request body
 
-`id`:: 
+`id`::
   (Required, string) The space ID that is part of the Kibana URL when inside the space. You are unable to change the ID with the update operation.
 
-`name`:: 
+`name`::
   (Required, string) The display name for the space.
 
-`description`:: 
+`description`::
   (Optional, string) The description for the space.
 
-`disabledFeatures`:: 
+`disabledFeatures`::
   (Optional, string array) The list of disabled features for the space. To get a list of available feature IDs, use the <<features-api-get, Features API>>.
 
-`initials`:: 
+`initials`::
   (Optional, string) Specifies the initials shown in the space avatar. By default, the initials are automatically generated from the space name. Initials must be 1 or 2 characters.
 
-`color`:: 
+`color`::
   (Optional, string) Specifies the hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
 
-`imageUrl`:: 
+`imageUrl`::
   (Optional, string) Specifies the data-url encoded image to display in the space avatar. If specified, `initials` will not be displayed, and the `color` will be visible as the background color for transparent images.
   For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
-  
+
 [[spaces-api-post-response-codes]]
 ==== Response codes
 

diff --git a/docs/api/using-api.asciidoc b/docs/api/using-api.asciidoc
@@ -1,7 +1,7 @@
 [[using-api]]
 == Using the APIs
 
-Interact with the {kib} APIs through the `curl` command and HTTP and HTTPs protocols. 
+Interact with the {kib} APIs through the `curl` command and HTTP and HTTPs protocols.
 
 It is recommended that you use HTTPs on port 5601 because it is more secure.
 
@@ -34,13 +34,37 @@ For example, the following `curl` command exports a dashboard:
 curl -X POST -u $USER:$PASSWORD "localhost:5601/api/kibana/dashboards/export?dashboard=942dcef0-b2cd-11e8-ad8e-85441f0c2e5c"
 --
 
-The following {kib} APIs are available:
+[float]
+[[api-request-headers]]
+=== Request headers
+
+For all APIs, you must use a request header. The {kib} APIs support the `kbn-xsrf` and `Content-Type` headers.
+
+`kbn-xsrf: true`::
+  By default, you must use `kbn-xsrf` for all API calls, except in the following scenarios:
+
+* The API endpoint uses the `GET` or `HEAD` methods
+
+* The path is whitelisted using the <<settings, `server.xsrf.whitelist`>> setting
+
+* XSRF protections are disabled using the `server.xsrf.disableProtection` setting
 
-* <<features-api-get, Get features API>>
-* <<spaces-api, Kibana spaces API>>
-* <<role-management-api, Kibana role management APIs>>
-* <<saved-objects-api, Saved objects APIs>>
-* <<dashboard-api, Import and export dashboards APIs>>
-* <<logstash-configuration-management-api, Logstash configuration mangaement APIs>>
-* <<url-shortening-api, Shorten URL API>>
-* <<upgrade-assistant-api, Upgrade assistant APIs>>
+`Content-Type: application/json`::
+  Applicable only when you send a payload in the API request. {kib} API requests and responses use JSON. Typically, if you include the `kbn-xsrf` header, you must also include the `Content-Type` header. 
+
+Request header example:
+
+[source,sh]
+--
+curl -X POST \
+  http://localhost:5601/api/spaces/space \
+  -H 'Content-Type: application/json' \
+  -H 'kbn-xsrf: true' \
+  -d '{
+	"id": "sales",
+	"name": "Sales",
+	"description": "This is your Sales Space!",
+	"disabledFeatures": []
+}
+'
+--
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -32,7 +32,7 @@ strongly recommend that you keep the default CSP rules that ship with Kibana.
 
 `csp.strict:`:: *Default: `true`* Blocks access to Kibana to any browser that
 does not enforce even rudimentary CSP rules. In practice, this will disable
-support for older, less safe browsers like Internet Explorer. 
+support for older, less safe browsers like Internet Explorer.
 See <<csp-strict-mode, Content Security Policy>> for more information.
 
 `csp.warnLegacyBrowsers:`:: *Default: `true`* Shows a warning message after
@@ -316,19 +316,31 @@ all http requests to https over the port configured as `server.port`.
 `server.ssl.supportedProtocols:`:: *Default: TLSv1.1, TLSv1.2*  An array of
 supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
 
+`server.xsrf.whitelist:`:: It is not recommended to disable protections for
+arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. There are some
+scenarios where whitelisting is required, however, such as
+<<kibana-authentication, SAML and OpenID Connect Single Sign-On setups>>.
+The `server.xsrf.whitelist` setting requires the following format:
+
+[source,text]
+
+----
+*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections.
+----
+
 `status.allowAnonymous:`:: *Default: false* If authentication is enabled,
 setting this to `true` enables unauthenticated users to access the Kibana
 server status API and status page.
 
-`telemetry.allowChangingOptInStatus`:: *Default: true*. If `true`, 
-users are able to change the telemetry setting at a later time in 
-<<advanced-options, Advanced Settings>>.  If `false`, 
-{kib} looks at the value of `telemetry.optIn` to determine whether to send 
+`telemetry.allowChangingOptInStatus`:: *Default: true*. If `true`,
+users are able to change the telemetry setting at a later time in
+<<advanced-options, Advanced Settings>>.  If `false`,
+{kib} looks at the value of `telemetry.optIn` to determine whether to send
 telemetry data or not. `telemetry.allowChangingOptInStatus` and `telemetry.optIn`
 cannot be `false` at the same time.
 
-`telemetry.optIn`:: *Default: true* If `true`, telemetry data is sent to Elastic. 
- If `false`, collection of telemetry data is disabled.  
+`telemetry.optIn`:: *Default: true* If `true`, telemetry data is sent to Elastic.
+ If `false`, collection of telemetry data is disabled.
  To enable telemetry and prevent users from disabling it,
  set `telemetry.allowChangingOptInStatus` to `false` and `telemetry.optIn` to `true`.