CSRF protection in Laravel prevents unauthorized form submissions by verifying requests originate from trusted sources. It works by generating a unique token for each session, which is validated upon form submission. Developers include the token via @csrf in Blade templates or in AJAX request headers. CSRF checks are necessary for POST, PUT, PATCH, and DELETE forms but can be skipped for APIs or stateless routes by adding them to the $except array in VerifyCsrfToken middleware. Proper usage ensures security while allowing flexibility where needed.
CSRF protection in Laravel is a security feature designed to prevent Cross-Site Request Forgery attacks. In short, it ensures that form submissions or HTTP requests coming to your Laravel application are genuinely initiated by the user they claim to be from.
Without CSRF protection, an attacker could trick a logged-in user into submitting a form on your site without their knowledge — for example, changing their email or deleting data.
How Laravel Handles CSRF Protection
Laravel automatically generates a CSRF token for each active user session. This token is a random string that helps verify whether the request comes from a trusted source.
Here’s how it works:
- When you create a form in Laravel using Blade, you typically include
@csrf, which adds a hidden input field with the current token. - When the form is submitted, Laravel checks if the token sent matches the one stored in the user's session.
- If it doesn’t match, Laravel blocks the request and returns a 419 error (or similar).
This mechanism protects against unauthorized actions while keeping things simple for developers.
Where You Need to Use CSRF Tokens
You need CSRF protection mainly for HTML forms that use POST, PUT, PATCH, or DELETE methods. GET requests don't require CSRF tokens because they shouldn't change the state of your application.
Common places where you’ll see CSRF usage:
- User registration and login forms
- Settings update forms
- Admin panels with destructive actions like delete or ban
In Blade templates, just add this line inside your <form></form> tag:
<form method="POST" action="/submit">
@csrf
<!-- other fields -->
</form>If you're making AJAX requests from JavaScript, you'll also need to include the token in your headers or payload. One common way is to read it from a meta tag:
<meta name="csrf-token" content="{{ csrf_token() }}">Then set it in your JS code before sending requests.
When CSRF Protection Isn’t Needed
There are cases where you don’t want or need Laravel to check the CSRF token. For example:
- APIs used by mobile apps or third-party services
- Stateless requests (e.g., when using token-based authentication like Sanctum or Passport)
To exclude certain routes from CSRF protection, you can add them to the $except array in the App\Http\Middleware\VerifyCsrfToken class:
protected $except = [
'api/*',
];Be careful though — only skip CSRF for routes that really don’t need it.
Final Notes
CSRF protection in Laravel is mostly automatic and well-integrated into the framework. Most of the time, just using @csrf in your forms is enough.
But it’s good to understand how it works under the hood, especially when dealing with custom JavaScript, APIs, or SPA integrations. Keep in mind that skipping CSRF checks should be the exception, not the rule.
That’s basically it.
The above is the detailed content of What is CSRF protection in Laravel?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Creating Custom Validation Rules in a Laravel Project
Jul 04, 2025 am 01:03 AM
There are three ways to add custom validation rules in Laravel: using closures, Rule classes, and form requests. 1. Use closures to be suitable for lightweight verification, such as preventing the user name "admin"; 2. Create Rule classes (such as ValidUsernameRule) to make complex logic clearer and maintainable; 3. Integrate multiple rules in form requests and centrally manage verification logic. At the same time, you can set prompts through custom messages methods or incoming error message arrays to improve flexibility and maintainability.
Working with pivot tables in Laravel Many-to-Many relationships
Jul 07, 2025 am 01:06 AM
ToworkeffectivelywithpivottablesinLaravel,firstaccesspivotdatausingwithPivot()orwithTimestamps(),thenupdateentrieswithupdateExistingPivot(),managerelationshipsviadetach()andsync(),andusecustompivotmodelswhenneeded.1.UsewithPivot()toincludespecificcol
Sending different types of notifications with Laravel
Jul 06, 2025 am 12:52 AM
Laravelprovidesacleanandflexiblewaytosendnotificationsviamultiplechannelslikeemail,SMS,in-appalerts,andpushnotifications.Youdefinenotificationchannelsinthevia()methodofanotificationclass,andimplementspecificmethodsliketoMail(),toDatabase(),ortoVonage
Understanding Dependency Injection in Laravel?
Jul 05, 2025 am 02:01 AM
Dependency injection automatically handles class dependencies through service containers in Laravel without manual new objects. Its core is constructor injection and method injection, such as automatically passing in the Request instance in the controller. Laravel parses dependencies through type prompts and recursively creates the required objects. The binding interface and implementation can be used by the service provider to use the bind method, or singleton to bind a singleton. When using it, you need to ensure type prompts, avoid constructor complications, use context bindings with caution, and understand automatic parsing rules. Mastering these can improve code flexibility and maintenance.
Strategies for optimizing Laravel application performance
Jul 09, 2025 am 03:00 AM
Laravel performance optimization can improve application efficiency through four core directions. 1. Use the cache mechanism to reduce duplicate queries, store infrequently changing data through Cache::remember() and other methods to reduce database access frequency; 2. Optimize database from the model to query statements, avoid N 1 queries, specifying field queries, adding indexes, paging processing and reading and writing separation, and reduce bottlenecks; 3. Use time-consuming operations such as email sending and file exporting to queue asynchronous processing, use Supervisor to manage workers and set up retry mechanisms; 4. Use middleware and service providers reasonably to avoid complex logic and unnecessary initialization code, and delay loading of services to improve startup efficiency.
Managing database state for testing in Laravel
Jul 13, 2025 am 03:08 AM
Methods to manage database state in Laravel tests include using RefreshDatabase, selective seeding of data, careful use of transactions, and manual cleaning if necessary. 1. Use RefreshDatabasetrait to automatically migrate the database structure to ensure that each test is based on a clean database; 2. Use specific seeds to fill the necessary data and generate dynamic data in combination with the model factory; 3. Use DatabaseTransactionstrait to roll back the test changes, but pay attention to its limitations; 4. Manually truncate the table or reseed the database when it cannot be automatically cleaned. These methods are flexibly selected according to the type of test and environment to ensure the reliability and efficiency of the test.
Choosing between Laravel Sanctum and Passport for API authentication
Jul 14, 2025 am 02:35 AM
LaravelSanctum is suitable for simple, lightweight API certifications such as SPA or mobile applications, while Passport is suitable for scenarios where full OAuth2 functionality is required. 1. Sanctum provides token-based authentication, suitable for first-party clients; 2. Passport supports complex processes such as authorization codes and client credentials, suitable for third-party developers to access; 3. Sanctum installation and configuration are simpler and maintenance costs are low; 4. Passport functions are comprehensive but configuration is complex, suitable for platforms that require fine permission control. When selecting, you should determine whether the OAuth2 feature is required based on the project requirements.
Implementing Database Transactions in Laravel?
Jul 08, 2025 am 01:02 AM
Laravel simplifies database transaction processing with built-in support. 1. Use the DB::transaction() method to automatically commit or rollback operations to ensure data integrity; 2. Support nested transactions and implement them through savepoints, but it is usually recommended to use a single transaction wrapper to avoid complexity; 3. Provide manual control methods such as beginTransaction(), commit() and rollBack(), suitable for scenarios that require more flexible processing; 4. Best practices include keeping transactions short, only using them when necessary, testing failures, and recording rollback information. Rationally choosing transaction management methods can help improve application reliability and performance.
