[ZT] Validate Access JWT header instead of cookie (#24376)

* use header instead of cookie

* update instructions to use the header

Author: ranbel

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

@@ -7,9 +7,9 @@ sidebar:
 
 import { GlossaryTooltip } from "~/components";
 
-When Cloudflare sends a request to your origin, the request will include an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header and as a `CF_Authorization` cookie.
+When Cloudflare sends a request to your origin, the request will include an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header. Requests made through a browser will also pass the token as a `CF_Authorization` cookie.
 
-Cloudflare signs the token with a key pair unique to your account. You should validate the token with your public key to ensure that the request came from Access and not a malicious third party.
+Cloudflare signs the token with a key pair unique to your account. You should validate the token with your public key to ensure that the request came from Access and not a malicious third party. We recommend validating the `Cf-Access-Jwt-Assertion` header instead of the `CF_Authorization` cookie, since the cookie is not guaranteed to be passed.
 
 ## Access signing keys
 
@@ -72,7 +72,7 @@ As shown in the example below, `https://<your-team-name>.cloudflareaccess.com/cd
 
 To verify the token manually:
 
-1. Copy the JWT from the `CF_Authorization` cookie or from the `Cf-Access-Jwt-Assertion` request header.
+1. Copy the JWT from the `Cf-Access-Jwt-Assertion` request header.
 
 2. Go to [jwt.io](https://jwt.io/).