The web server configuration parameter csrf-disable causes the usual cross-site request forgery checks to be disabled. This might be necessary in unusual or experimental configurations.
The only currently implemented check is the use of a custom header called x-requested-with that must contain the string TiddlyWiki in order for write requests to succeed.