CSRF Protection - Laravel 12.x - The PHP Framework For Web Artisans
CSRF Protection - Laravel 12.x - The PHP Framework For Web Artisans
CSRF Protection
# Introduction
# X-CSRF-Token
# X-XSRF-Token
# Introduction
Cross-site request forgeries are a type of malicious exploit whereby unauthorized
commands are performed on behalf of an authenticated user. Thankfully, Laravel
makes it easy to protect your application from cross-site request forgery (CSRF)
attacks.
Without CSRF protection, a malicious website could create an HTML form that points
to your application's /user/email route and submits the malicious user's own email
address:
1 <form action="https://your-application.com/user/email" method="POST">
2 <input type="email" value="[email protected]">
3 </form>
4
5 <script>
6 document.forms[0].submit();
7 </script>
If the malicious website automatically submits the form when the page is loaded, the
malicious user only needs to lure an unsuspecting user of your application to visit their
website and their email address will be changed in your application.
To prevent this vulnerability, we need to inspect every incoming POST , PUT , PATCH , or
DELETE request for a secret session value that the malicious application is unable to
access.
The current session's CSRF token can be accessed via the request's session or via the
csrf_token helper function:
1 use Illuminate\Http\Request;
2
3 Route::get('/token', function (Request $request) {
4 $token = $request->session()->token();
5
6 $token = csrf_token();
7
8 // ...
9 });
Anytime you define a "POST", "PUT", "PATCH", or "DELETE" HTML form in your
application, you should include a hidden CSRF _token field in the form so that the CSRF
protection middleware can validate the request. For convenience, you may use the
@csrf Blade directive to generate the hidden token input field:
Typically, you should place these kinds of routes outside of the web middleware group
that Laravel applies to all routes in the routes/web.php file. However, you may also
exclude specific routes by providing their URIs to the validateCsrfTokens method in
your application's bootstrap/app.php file:
For convenience, the CSRF middleware is automatically disabled for all routes
when running tests.
# X-CSRF-TOKEN
In addition to checking for the CSRF token as a POST parameter, the
Illuminate\Foundation\Http\Middleware\ValidateCsrfToken middleware, which is
included in the web middleware group by default, will also check for the X-CSRF-TOKEN
request header. You could, for example, store the token in an HTML meta tag:
Then, you can instruct a library like jQuery to automatically add the token to all request
headers. This provides simple, convenient CSRF protection for your AJAX based
applications using legacy JavaScript technology:
1 $.ajaxSetup({
2 headers: {
3 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
4 }
5 });
# X-XSRF-TOKEN
Laravel stores the current CSRF token in an encrypted XSRF-TOKEN cookie that is
included with each response generated by the framework. You can use the cookie
value to set the X-XSRF-TOKEN request header.
By default, the resources/js/bootstrap.js file includes the Axios HTTP library which
will automatically send the X-XSRF-TOKEN header for you.
Resources Products
Documentation Cloud
Blog Nightwatch
Partners Nova
News
Larabelles
Jobs
Careers
Packages
Cashier Sail
Dusk Sanctum
Horizon Socialite
Octane Telescope
Scout Pulse
Pennant Reverb
Pint Echo