CSRF protection
- ##Introduction
- Laravel You can easily protect your applications from cross-site request forgery (CSRF) attacks, a malicious attack that relies on the identity of an authenticated user to run unauthorized commands. Laravel will automatically generate a CSRF "token" for each active user session. The token is used to verify that the authenticated user is the one making the request to the application.
- Whenever you define an HTML form in your application, you should include a hidden CSRF tag field in the form so that the CSRF protection middleware can validate the request, you can use @csrf Blade directive to generate the token field, as follows:
<form method="POST" action="/profile"> @csrf ... </form>
Contained in the web middleware group VerifyCsrfToken The middleware will automatically verify whether the token in the request matches the one stored in In-session token matching.
CSRF Token & JavaScript
When building a JavaScript-driven application, it is convenient to have the JavaScript HTTP
function library automatically attach it to each request. on the CSRF token. By default, theresources/js/bootstrap.js
file will use the value in thecsrf-token meta tag registered by the Axios HTTP function library. If you don't use this library, you need to manually configure this behavior for your application.
CSRF Whitelist
Sometimes you may want to set a set of unwanted CSRF protected URLs. For example, if you are using Stripe to process payments and use their webhook system, you will need to exclude the Stripe webhook handler route from CSRF protection because Stripe does not send a CSRF token to your route.
Typical approach, you can put this type of route outside routes/web.php, because the web middleware of RouteServiceProvider is suitable for this All routes in the file. However, you can also exclude CSRF protection for such routes by adding such URLs to the $except attribute of the VerifyCsrfToken middleware, as follows:
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'stripe/*',
'http://example.com/foo/bar',
'http://example.com/foo/*',
];
}##X-CSRF-TOKENIn addition to checking the CSRF token in the POST parameter,{tip} When running tests, the CSRF middleware is automatically disabled.
VerifyCsrfToken The middleware also checks the X-CSRF-TOKEN request header. You should save the token in an HTML meta tag, like this:
<meta name="csrf-token" content="{{ csrf_token() }}"> Then, once you've created the meta tag, you can instruct a library like jQuery Automatically add the token to the headers of all requests. It can also provide simple and convenient CSRF protection for AJAX-based applications. As follows:
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
});{tip} By default, theresources/js/bootstrap.js
file will be registered with the Axios HTTP function librarycsrf-tokenmeta The value in the label. If you do not use this library, you will need to manually configure this behavior for your application.
Laravel stores the current CSRF token in a
XSRF-TOKEN cookie, which is included in every response generated by the framework. You can use a cookie value to set the X-XSRF-TOKEN
request header. This cookie is sent primarily as a convenience because some JavaScript frameworks and libraries, such as Angular and Axios, automatically put its value into
Head. This article was first published on the
