Insites Docs Developers guide DevelopmentCodebaseconfig.yml

config.yml

Last updated on April 06, 2026.

The file controls how your Insites application behaves. It lives at and contains flags that affect Liquid rendering, GraphQL behavior, security defaults, and deployment settings.

Most flags default to safe, strict values. You only need to include flags in your config file when you want to change the default behavior.

Configuration Flags

Flag Default Description

: Output is escaped, not sanitized.

: Variables are sanitized before output, treated as HTML, and corrected. This can change expected output and is not recommended.

Controls behavior when a GraphQL query receives an argument of the wrong type.

: Raises an error and blocks deployment.

: Logs a warning message.

: Silently ignores the mismatch.

The system runs static analysis on Liquid files during deploy and sync. This flag controls what happens when an unknown filter is detected.

: Raises an error and blocks the Liquid file from deploying.

: Logs a warning.

: Liquid runtime errors (invalid JSON parsing, bad GraphQL arguments, etc.) stop code execution and display a 500 error page.

: Errors display inline and code continues running despite errors.

: A page with slug only matches . You can use named parameters like .

: A page with slug also matches and . Control this with the page property.

: The argument is required for the mutation. This prevents accidental deletion of records from the wrong table.

: The argument is optional, which can lead to security issues if the record type is not checked before deletion.

: The system automatically escapes variables passed to translation keys, preventing XSS vulnerabilities.

: The filter marks output as HTML-safe. User input containing malicious JavaScript could execute. Use explicitly if you need this behavior.

: WebSocket connections require a CSRF token, improving security.

: WebSocket connections do not check the CSRF token.

: When an authorization policy fails and a redirect is configured, the system appends a parameter so the user can be redirected back after authenticating.

: The parameter is not appended.

If your queries do not use the argument for full-text search, you can set this to to skip ElasticSearch indexing and improve performance.

The name of the layout that pages use by default. If a page does not specify a layout in its YAML front matter, this layout is applied automatically.

Controls the attribute on cookies. Possible values: , , .

When enabled, URLs with trailing slashes are automatically redirected to the version without a trailing slash (e.g., redirects to ).

A list of module names where missing files are removed from the instance during deployment. By default, deploying a module does not delete any files, since developers may have downloaded and selectively overwritten files. When a module is listed here and is enabled, removing a file locally also removes it from the instance.

Enables password protection for the entire site. When is set to , visitors must enter a password before accessing any page. See the Maintenance Mode section below.

Example Configuration

A recommended with secure defaults:

Maintenance Mode

Maintenance mode lets you password-protect your entire site. This is useful for restricting access during development or for sites that are not yet public.

To enable it, add the following to your :

Then create a partial at with a password form. The form should POST to the built-in endpoint, which checks against the value of the constant you specified in .

If the password matches, the system stores the authentication in the session so the visitor is not prompted again.

Note

Maintenance mode only applies to valid pages and GET requests. Custom error pages and POST/PATCH/PUT/DELETE requests continue to work normally.
Have a suggestion for this page?

Didn't quite find what you are looking for or have feedback on how we can make the content better then we would love to hear from you. Please provide us feedback and we will get back to you shortly.