From 63e2f9082328d6b67920be7bbbf245644a2c8e91 Mon Sep 17 00:00:00 2001 From: Ali Clark Date: Tue, 12 Jan 2021 14:52:42 +0000 Subject: [PATCH] Default headers example AUTH_TOKEN comment (#3539) * Updating the 'Global axios defaults' README to use a safer example The existing example usage it isn't safe in the general case as it can lead to auth tokens being leaked to 3rd party endpoints by unexpectedly. This change instead gives an example using "axios.defaults.headers.common" to set the User-Agent, which is an equally helpful use-case to document. The 'Custom instance defaults' example just below the 'Global axios defaults' example shows a method to set the 'Authorization' header specific to a given API. I've also updated the variable in the 'Custom instance defaults' code to use a semantically more relevant name within that example. * Revert the example instance name in response to PR request * Reintroduce the Authorization example with a disclaimer about its usage * Update wording nb -> important on usage comment * Remove User-Agent example due to issues with this on Chrome and Safari See https://github.com/axios/axios/issues/1231 Credit @chinesedfan for pointing this out --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 44264f6c13..7ec0dd0836 100755 --- a/README.md +++ b/README.md @@ -510,7 +510,11 @@ You can specify config defaults that will be applied to every request. ```js axios.defaults.baseURL = 'https://api.example.com'; + +// Important: If axios is used with multiple domains, the AUTH_TOKEN will be sent to all of them. +// See below for an example using Custom instance defaults instead. axios.defaults.headers.common['Authorization'] = AUTH_TOKEN; + axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded'; ```