The web server configuration parameter csrf-disable causes the usual cross-site request forgery checks to be disabled. This might be necessary in unusual or experimental configurations.

Setting csrf-disable to yes disables the CSRF checks; no (or any other value) enables them.

The only currently implemented check is the use of a custom header called x-requested-with that must contain the string TiddlyWiki in order for write requests to succeed.