[Docs] Add server.xsrf.disableProtection to settings docs (#76022) (#76099)

docs/api/using-api.asciidoc

@@ -62,10 +62,8 @@ For all APIs, you must use a request header. The {kib} APIs support the `kbn-xsr
   By default, you must use `kbn-xsrf` for all API calls, except in the following scenarios:
 
 * The API endpoint uses the `GET` or `HEAD` operations
-
-* The path is whitelisted using the <<settings, `server.xsrf.whitelist`>> setting
-
-* XSRF protections are disabled using the `server.xsrf.disableProtection` setting
+* The path is whitelisted using the <<settings-xsrf-whitelist, `server.xsrf.whitelist`>> setting
+* XSRF protections are disabled using the <<settings-xsrf-disableProtection, `server.xsrf.disableProtection`>> setting
 
 `Content-Type: application/json`::
   Applicable only when you send a payload in the API request. {kib} API requests and responses use JSON. Typically, if you include the `kbn-xsrf` header, you must also include the `Content-Type` header.

docs/setup/settings.asciidoc

@@ -569,7 +569,7 @@ all http requests to https over the port configured as `server.port`.
  | An array of supported protocols with versions.
 Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`. *Default: TLSv1.1, TLSv1.2*
 
-| `server.xsrf.whitelist:`
+| [[settings-xsrf-whitelist]] `server.xsrf.whitelist:`
  | It is not recommended to disable protections for
 arbitrary API endpoints. Instead, supply the `kbn-xsrf` header.
 The `server.xsrf.whitelist` setting requires the following format:
@@ -584,6 +584,9 @@ The `server.xsrf.whitelist` setting requires the following format:
 [cols="2*<"]
 |===
 
+| [[settings-xsrf-disableProtection]] `status.xsrf.disableProtection:`
+ | Setting this to `true` will completely disable Cross-site request forgery protection in Kibana. This is not recommended. *Default: `false`*
+
 | `status.allowAnonymous:`
  | If authentication is enabled,
 setting this to `true` enables unauthenticated users to access the {kib}