diff --git a/typo3/sysext/core/Documentation/Changelog/12.0/Breaking-97305-IntroduceCSRF-likeLoginToken.rst b/typo3/sysext/core/Documentation/Changelog/12.0/Breaking-97305-IntroduceCSRF-likeLoginToken.rst
index d9207d43adb8cbb64410955ec7d0f0e1b0d2219d..598b2f9b1233ab6b1deef6fa1abfcf7aa0b3a6c6 100644
--- a/typo3/sysext/core/Documentation/Changelog/12.0/Breaking-97305-IntroduceCSRF-likeLoginToken.rst
+++ b/typo3/sysext/core/Documentation/Changelog/12.0/Breaking-97305-IntroduceCSRF-likeLoginToken.rst
@@ -18,7 +18,7 @@ create an actual server-side user session.
 The request-token has to be submitted by one of these ways:
 
 * HTTP body, e.g. in `<form>` via parameter `__request_token`
-* HTTP header, e.g. in XHR via header `X-TYPO3-Request-Token`
+* HTTP header, e.g. in XHR via header `X-TYPO3-RequestToken`
 
 Impact
 ======
diff --git a/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97305-IntroduceCSRF-likeRequest-tokenHandling.rst b/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97305-IntroduceCSRF-likeRequest-tokenHandling.rst
index ddcbdf97e8ceae07b948b81ab284ba8a1bbb0484..8a6db0258ee573eda94ae4b6a8ca16700d4c6e28 100644
--- a/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97305-IntroduceCSRF-likeRequest-tokenHandling.rst
+++ b/typo3/sysext/core/Documentation/Changelog/12.0/Feature-97305-IntroduceCSRF-likeRequest-tokenHandling.rst
@@ -34,7 +34,7 @@ Session cookie names involved for providing the nonce value:
 Submitting request-token value to application:
 
 * HTTP body, e.g. in `<form>` via parameter `__RequestToken`
-* HTTP header, e.g. in XHR via header `X-TYPO3-Request-Token`
+* HTTP header, e.g. in XHR via header `X-TYPO3-RequestToken`
 
 The sequence looks like the following:
 
@@ -133,7 +133,7 @@ needs to verify that the request-token has the expected `'my/process'` scope.
                 $this->doTheMagic();
                 // middleware takes care to remove the the cookie in case no other
                 // nonce value shall be emitted during the current HTTP request
-                $requestToken->getSigningSecretIdentifier() !== null) {
+                if ($requestToken->getSigningSecretIdentifier() !== null) {
                     $securityAspect->getSigningSecretResolver()->revokeIdentifier(
                         $requestToken->getSigningSecretIdentifier()
                     );