CSRF Protection

CSRF Protection

Excluding URIs From CSRF Protection

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
        'http://example.com/foo/bar',
        'http://example.com/foo/*',
    ];
}

You may also exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware.

If you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.

CSRF token

This token is used to verify that the authenticated user is the one actually making the requests to the application.

<form method="POST" action="https://laravel.com/profile">
    @csrf
    ...
</form>
  • You may use the @csrf Blade directive to generate the token field.
  • By default, the resources/js/bootstrap.js file registers the value of the csrf-token meta tag with the Axios HTTP library. If you are not using this library, you will need to manually configure this behavior for your application.
  • laravel automatically generates a CSRF "token" for each active user session managed by the application.

X-CSRF-TOKEN

X-XSRF-TOKEN

Laravel stores the current CSRF token in a XSRF-TOKEN cookie that is included with each response generated by the framework.

CSRF Protection — Structure map

Clickable & Draggable!

CSRF Protection — Related pages: