CSRF Protection in Laravel

CSRF Protection in Laravel


CSRF stands for Cross-site request forgeries. Cross-Site Request Forgery (CSRF) is a type of security vulnerability that occurs when a malicious website tricks a user’s browser into making unintended requests to another website where the user is authenticated. Laravel provides built-in CSRF protection mechanisms to safeguard against such attacks.

CSRF protection in Laravel involves generating and validating CSRF tokens for each user session. Here’s how it works:

Generating CSRF Tokens:

Laravel automatically generates a CSRF token for each user session. The token is stored as a cookie in the user’s browser and is also included as a hidden field in HTML forms. To generate the token, you can use the @csrf Blade directive:

form method="POST" action="/example">
    <-- Other form fields -->

Verifying CSRF Tokens:

When a form is submitted, Laravel automatically verifies the CSRF token. The token sent with the request is compared against the token stored in the user’s session. If the tokens don’t match, Laravel will throw a TokenMismatchException. You don’t need to manually perform the token verification; Laravel handles it behind the scenes.

Excluding Routes from CSRF Protection:

By default, all POST, PUT, PATCH, and DELETE routes in Laravel are protected by CSRF middleware. However, there might be cases where you need to exclude specific routes from CSRF protection, such as API endpoints. To exclude a route, you can add its URL to the $except array in the VerifyCsrfToken middleware:

protected $except = [

AJAX Requests and CSRF Tokens:

When making AJAX requests, you need to ensure that the CSRF token is included in the request headers. Laravel automatically adds the CSRF token value to the X-CSRF-TOKEN header if you are using the axios library or the csrf meta tag in your application’s HTML header. You can access the token value in JavaScript using the csrf_token() helper function:

axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector('meta[name="csrf-token"]').getAttribute('content');

By including the CSRF token in AJAX requests, Laravel will automatically verify the token and allow the request to proceed.

CSRF Protection in Stateful APIs:

Laravel’s CSRF protection primarily targets web browser interactions. For stateful APIs, where authentication is typically performed via tokens or API keys, CSRF protection is not necessary. You can exclude API routes from CSRF protection by adding them to the $except array in the VerifyCsrfToken middleware.

Conclusion: Laravel’s CSRF protection provides a robust defense against Cross-Site Request Forgery attacks. By automatically generating and verifying CSRF tokens, Laravel helps ensure the integrity and security of form submissions in your application. It’s important to include the CSRF token in your HTML forms and AJAX requests to take full advantage of this protection mechanism.

Reference document from Laravel official documentation.