What is CSRF protection in Laravel?

CSRF (Cross-Site Request Forgery) protection in Laravel is a security mechanism that helps prevent malicious attacks where unauthorized commands are transmitted from a user that the web application trusts. This type of attack happens when a user, unknowingly, executes unwanted actions on a web application while being authenticated.

Laravel's CSRF protection helps ensure that requests made to your application come from your own forms and not from external sources. It does this by generating a unique token for each active user session. This token is then verified on every form submission or AJAX request, ensuring that the request originates from your application.

How CSRF Protection Works in Laravel

  1. Generating the CSRF Token:

    • Laravel automatically generates a CSRF token for each user session. This token is stored in the user's session and can be retrieved using the csrf_token() helper function.

  2. Including the CSRF Token in Forms:

    • For forms that submit data (e.g., POST, PUT, DELETE requests), Laravel requires the CSRF token to be included. This can be done using the @csrf Blade directive or manually adding the token to the form.

    Example:

    <form method="POST" action="/submit">
    @csrf
    <input type="text" name="name" />
    <button type="submit">Submit</button>
</form>

    Alternatively, you can add the token manually:

    <input type="hidden" name="_token" value="{{ csrf_token() }}">

  3. Verifying the CSRF Token:

    • When the form is submitted, Laravel automatically compares the submitted token with the token stored in the session. If they match, the request is processed. If not, the request is rejected, preventing unauthorized actions.

CSRF Protection for AJAX Requests

For AJAX requests, you also need to include the CSRF token. This can be done by setting the token in your JavaScript code:

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

Make sure you include the CSRF token in the meta tag of your HTML document:

<meta name="csrf-token" content="{{ csrf_token() }}">

Disabling CSRF Protection for Specific Routes

In some cases, you may need to disable CSRF protection for specific routes (e.g., API endpoints). You can do this by adding the routes to the $except array in the VerifyCsrfToken middleware (app/Http/Middleware/VerifyCsrfToken.php):

protected $except = [
    'your/route/here',
];

Conclusion

Laravel’s CSRF protection ensures that your application is safe from cross-site request forgery attacks by verifying that requests come from trusted sources. It is an essential security feature that is automatically enabled in Laravel for most routes, particularly for POST, PUT, PATCH, and DELETE requests.



IT and Digital Marmeting keyboard_arrow_leftPrevious
Nextkeyboard_arrow_right

Online Learner

At Online Learner, we're on a mission to ignite a passion for learning and empower individuals to reach their full potential. Founded by a team of dedicated educators and industry experts, our platform is designed to provide accessible and engaging educational resources for learners of all ages and backgrounds.

Disclaimer About Us

Copyright 2023-2025 © All rights reserved.

logo
Frontend
Backend
Interviews