diff --git a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelp b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelp
index 9b8944b1d65..5af4be5c7ec 100644
--- a/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelp
+++ b/ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.qhelp
@@ -42,6 +42,12 @@
       vulnerability - for example if parts of the session are memoized. Calling
       <code>protect_from_forgery with: :exception</code> can help to avoid this
       by raising an exception on an invalid CSRF token instead.
+
+      Note that Rails version 5 and later
+      automatically run <code>protect_from_forgery with: :exception</code>
+      by default, but manually calling <code>protect_from_forgery</code> with
+      no <code>with</code> argument will downgrade protection to null the
+      session rather than raise an exception.
     </p>
   </recommendation>