Laravel CSRF token


In Laravel, CSRF (Cross-Site Request Forgery) protection is a security feature that helps prevent unauthorized or malicious requests from being made on behalf of an authenticated user. CSRF tokens ensure that requests made to your application are intentional and come from authenticated users or trusted sources.

CSRF Protection Overview

What is CSRF? Cross-Site Request Forgery (CSRF) is an attack where a malicious actor tricks a user into making unwanted requests to a web application where they are authenticated. This can lead to unauthorized actions being performed on behalf of the user.

How Does CSRF Protection Work? Laravel's CSRF protection works by generating a unique token for each user session and including that token in forms. When a request is made, Laravel checks that the token submitted with the request matches the one stored in the user's session. If the tokens don't match, the request is rejected.

Using CSRF in Laravel Blade

In Laravel Blade, CSRF tokens are used to secure forms against CSRF attacks. Laravel makes it easy to include CSRF tokens in your forms with the @csrf directive.

Including CSRF Tokens in Forms

1. Using @csrf Directive

The @csrf directive generates a hidden input field with the CSRF token in your form. This field is automatically included in the form's HTML, and Laravel will validate the token on submission.

Example:

<form method="POST" action="/submit"> @csrf <input type="text" name="name"> <button type="submit">Submit</button> </form>

In this example, the @csrf directive adds a hidden input field like this:

<input type="hidden" name="_token" value="YOUR_CSRF_TOKEN_HERE">

When the form is submitted, Laravel verifies that the token included in the request matches the token stored in the session.

2. Using @method Directive

When performing actions other than GET or POST (such as PUT, PATCH, or DELETE), you can use the @method directive to specify the HTTP method.

Example:

<form method="POST" action="/update"> @csrf @method('PUT') <input type="text" name="name"> <button type="submit">Update</button> </form>

In this example, the @method('PUT') directive adds a hidden input field for the HTTP method:

<input type="hidden" name="_method" value="PUT">

CSRF Tokens in JavaScript

For AJAX requests, you need to include the CSRF token in the headers. Laravel provides a way to do this by setting a meta tag in your Blade templates and then reading this meta tag in your JavaScript.

1. Add CSRF Token to Meta Tag

Example:

<meta name="csrf-token" content="{{ csrf_token() }}">

2. Set the CSRF Token in JavaScript

You can use JavaScript to read this meta tag and include the CSRF token in your AJAX requests.

Example (using jQuery):

$.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

Example (using Axios):

axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector('meta[name="csrf-token"]').getAttribute('content');

Summary

CSRF protection in Laravel is crucial for securing your application against unauthorized requests. By using the @csrf directive in Blade templates, Laravel automatically includes a CSRF token in forms, which is validated on form submission. For AJAX requests, you can include the CSRF token in the request headers by adding a meta tag to your Blade templates and reading it in your JavaScript code. This approach helps protect your application from CSRF attacks and ensures that requests are coming from authenticated and trusted sources.