Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default headers example AUTH_TOKEN comment #3539

Conversation

aliclark
Copy link
Contributor

@aliclark aliclark commented Jan 11, 2021

If axios is used with multiple domains, the AUTH_TOKEN will be sent to all of them when using the example code:

axios.defaults.headers.common['Authorization'] = AUTH_TOKEN

This PR adds a comment above the example to that effect and points below for an example using Custom instance defaults instead.

The PR also adds an example setting User-Agent, which is another common case for setting axios.defaults.headers.common.

This is a continuation of #3471 which was previously closed.

The existing example usage it isn't safe in the general case as it can
lead to auth tokens being leaked to 3rd party endpoints by unexpectedly.

This change instead gives an example using
"axios.defaults.headers.common" to set the User-Agent, which is an
equally helpful use-case to document.

The 'Custom instance defaults' example just below the 'Global axios
defaults' example shows a method to set the 'Authorization' header
specific to a given API. I've also updated the variable in the 'Custom
instance defaults' code to use a semantically more relevant name within
that example.
@aliclark aliclark changed the title Default headers example without confidential text Default headers example AUTH_TOKEN comment Jan 11, 2021
Copy link
Member

@jasonsaayman jasonsaayman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, I know I am being a bit uptight but if you can change that wording then it will be perfect 💯

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@aliclark
Copy link
Contributor Author

Thanks both for the feedback!

I'm not able to merge as a collaborator so hope either of you can merge whenever is a good time.

Thanks again and apologies for the drama.

@jasonsaayman jasonsaayman merged commit fe52a61 into axios:master Jan 12, 2021
@aliclark aliclark deleted the default-headers-example-without-confidential-text branch January 15, 2021 11:08
mbargiel pushed a commit to mbargiel/axios that referenced this pull request Jan 27, 2022
* Updating the 'Global axios defaults' README to use a safer example

The existing example usage it isn't safe in the general case as it can
lead to auth tokens being leaked to 3rd party endpoints by unexpectedly.

This change instead gives an example using
"axios.defaults.headers.common" to set the User-Agent, which is an
equally helpful use-case to document.

The 'Custom instance defaults' example just below the 'Global axios
defaults' example shows a method to set the 'Authorization' header
specific to a given API. I've also updated the variable in the 'Custom
instance defaults' code to use a semantically more relevant name within
that example.

* Revert the example instance name in response to PR request

* Reintroduce the Authorization example with a disclaimer about its usage

* Update wording nb -> important on usage comment

* Remove User-Agent example due to issues with this on Chrome and Safari

See axios#1231
Credit @chinesedfan for pointing this out
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants