Improve repo documentation

CHANGELOG.md

@@ -104,16 +104,15 @@
 ## [5.1.0](https://github.com/auth0/auth0-PHP/tree/5.1.0) (2018-03-02)
 [Full Changelog](https://github.com/auth0/auth0-PHP/compare/5.0.6...5.1.0)
 
-[State validation](https://auth0.com/docs/protocols/oauth2/oauth-state) was added in 5.1.0 for improved security. By default, this uses session storage and will happen automatically if you are using a combination of `Auth0::login()` and any method which calls `Auth0::exchange()` in your callback.
+**Notes on this release:**
 
-If you need to use a different storage method, implement your own [StateHandler](https://github.com/auth0/auth0-PHP/blob/master/src/API/Helpers/State/StateHandler.php) and set it using the `state_handler` config key when you initialize an `Auth0` instance.
-
-If you are using `Auth0::exchange()` and a method other than `Auth0::login()` to generate the Authorize URL, you can disable automatic state validation by setting the `state_handler` key to `false` when you initialize the `Auth0` instance. It is **highly recommended** to implement state validation, either automatically or otherwise
+[State validation](https://auth0.com/docs/protocols/oauth2/oauth-state) was added for improved security. Please see our [troubleshooting page](https://auth0.com/docs/libraries/auth0-php/troubleshooting) for more information on how this works and potential issues.
 
 **Closed issues**
 - Support for php-jwt 5 [\#210](https://github.com/auth0/auth0-PHP/issues/210)
 
 **Added**
+- Added XSRF State Storage / Validation [\#214](https://github.com/auth0/auth0-PHP/pull/214) ([cocojoe](https://github.com/cocojoe))
 - Adding tests for state handler; correcting storage method used [\#228](https://github.com/auth0/auth0-PHP/pull/228) ([joshcanhelp](https://github.com/joshcanhelp))
 
 **Changed**

CONTRIBUTING.md

@@ -0,0 +1,24 @@
+## Contributing
+
+We provide and maintain SDKs for the benefit of our developer community. Feedback, detailed bug reports, and focused PRs are appreciated. Thank you in advance!
+
+When contributing to this SDK, please:
+
+- Maintain the minimum PHP version (found under `require.php` in `composer.json`).
+- Code to the [PSR-2 standard](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md).
+- Write tests and run them with `composer test`.
+- Keep PRs focused and change the minimum number of lines to achieve your goal.
+
+To run tests on the SDK, you'll need to create a `.env` file in the root of this package with the following entries:
+
+- `DOMAIN` - Auth0 domain for your test tenant
+- `APP_CLIENT_ID` - Client ID for a Regular Web Application within your test tenant
+- `APP_CLIENT_SECRET` - Client Secret for a Regular Web Application within your test tenant
+- `NIC_ID` - Client ID for a test Non-Interactive Client Application
+- `NIC_SECRET` - Client Secret for a test Non-Interactive Client Application
+- `GLOBAL_CLIENT_ID` - Client ID for your tenant (found in Tenant > Settings > Advanced)
+- `GLOBAL_CLIENT_SECRET` - Client Secret for your tenant (found in Tenant > Settings > Advanced)
+
+This file is automatically excluded from Git with the `.gitignore` for this repo. 
+
+We're working on test coverage and quality but please note that newer tenants might see errors (typically `404`) for endpoints that are no longer available. Another common error is a `429` for too many requests.