Edit this page

up.protocol up.protocol.config
JavaScript property

Configures strings used in the optional server protocol.


Value

[config.csrfHeader='X-CSRF-Token'] string optional

The name of the HTTP header that will include the CSRF token for AJAX requests.

[config.csrfParam] stringorFunction(): string optional

The name of the hidden <input> used for sending a CSRF token when submitting a default, non-AJAX form. For AJAX request the token is sent as an [HTTP header](/up.protocol.config#config.csrfHeader instead.

The parameter name can be configured as a string or as function that returns the parameter name. If no name is set, no token will be sent.

Defaults to the content attribute of a <meta> tag named csrf-param:

<meta name="csrf-param" content="authenticity_token">
[config.csrfToken] stringorFunction(): string optional

The CSRF token to send for unsafe requests. The token will be sent as either a HTTP header (for AJAX requests) or hidden form <input> (for default, non-AJAX form submissions).

The token can either be configured as a string or as function that returns the token. If no token is set, no token will be sent.

Defaults to the content attribute of a <meta> tag named csrf-token:

<meta name='csrf-token' content='secret12345'>
[config.cspNonce] stringorFunction(): string optional

A CSP script nonce for the initial page that booted Unpoly.

The nonce let Unpoly run JavaScript in HTML attributes like [up-on-loaded] or [up-on-accepted]. See Working with a strict Content Security Policy.

The nonce can either be configured as a string or as function that returns the nonce.

Defaults to the content attribute of a <meta> tag named csp-nonce:

<meta name='csrf-token' content='secret98765'>
[config.methodParam='_method'] string optional

The name of request parameter containing the original request method when Unpoly needs to wrap the method.

Methods must be wrapped when making a full page request with a methods other than GET or POST. In this case Unpoly will make a POST request with the original request method in a form parameter named _method:

POST /test HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

_method=PUT
[config.maxHeaderSize] number optional experimental

The preferred maximum length of an X-Up-prefixed header's value.

This is currently only honored for X-Up-Validate.