Laravel CSRF Protection

 Powerful  Laravel CSRF Protection

Laravel CSRF Protection
Laravel CSRF Protection


In our previous post on Laravel Framework Overview, We discussed that Laravel is simple, robust, secure for developers for the development of web apps. The Laravel CSRF Protection feature is used for developing secure web applications.

Let’s see how?

Laravel’s built-in CSRF protection feature allows developers to develop secure web applications. Using Laravel’s CSRF feature, we can protect web apps from Cross-Site-Request-Forgery attacks. So, before moving to implement CSRF protection in Laravel, Lets first understand some basic facts about CSRF attacks and why web applications need to protect from these attacks.

What is a CSRF attack?

Cross-Site-Request-Forgery (CSRF) is a kind of web attack where the attacker tries to hijack HTTP web requests and pretends to be the legitimate user. The attacker leverages the authenticated users to send HTTP web requests to a web server. The CSRF exploits the trust that a site has in a user’s browser.

Whenever an HTTP request is made to a web application, the browser will check first if it has any information in Cookies. If related cookies are found, then these are sent along with the HTPP request. Hence, the user needs to be authenticated again at server side which marks the session still valid. Here, the attacker would use CSRF to send requests on behalf of a valid user.

Refer Laravel official documentation @ CSRF Protection in Laravel.

How to protect Laravel web applications from CSRF attacks?

Laravel CSRF Protection is the built-in feature provided with the Laravel framework to protect the web application from the CSRF attacks. Laravel developers have to take care while sending HTML forms to the web server for processing.

Laravel by default adds a CSRF token for each active user session in the application.
By default, all routes except “read-only” routes (those using GET, HEAD, or OPTIONS) are protected against cross-site request forgery (CSRF) attacks by requiring a token, in the form of an input named _token, to be passed along with each request.

HTML Form without CSRF token:

<form action="/getUsersList" method="POST">
<input type="hidden" name="_method" value="DELETE">

Here, the HTML forms without CSRF tokens makes the web application vulnerable to attacks.

HTML Form with CSRF token:

<form method = ”post” >
{{ csrf_field() }}
<label> Name </label>
<input type = "text" name = "email"/>
<label> Message </label>
<input type = "text" name = "message"/>
<input type = ”submit” name = ”submitButton” value = ”submit”>

In this case, the form output would be:

"token": "klfleifxDSUYEW9WE67898BVNVFPNG",
"name": "",
"email": ""


Now, the time to see how Laravel CSRF protection is practically implemented while developing Laravel web applications.

How to implement CSRF Protection in Laravel?

Laravel CSRF protection is basically required when the user submits the input data to the web servers for processing and getting back the HTTP responses. Laravel provides “@csrf” blade directive to add hidden tokens in the HTML forms. It is a hidden HTML input field sent along with other HTML elements. This token is generated at the start of every session, and every non–read-only route compares the submitted _token against the session token. This token is used to verify the authenticated users to the web application.

TIPThe best way around CSRF attacks is to protect all inbound routes —POST, DELETE, etc.—with a token, which Laravel does out of the box.

CSRF protection in Laravel is implemented using the following steps:

1. Define the @csrf or {{ csrf_field() }} blade directive in the HTML forms.

<form method=”POST” action=”/profile”>


2. CSRF token is submitted to the server.

3. Laravel framework at server-side validates the token

Laravel validates the token using in-built CSRF protection middleware. The VerifyCsrfToken middleware is included in the web middleware group which will automatically verify that the token in the request input and matches with the token preserved in the session. The default Laravel CSRF Token Controller is VerifyCsrfToken.

So, make it practical to add @csrf tokens to each form submission in web pages.


X-CSRF-TOKEN in Laravel:

Along with the CSRF tokens, Laravel also checks for the CSRF token as a POST parameter and the VerifyCsrfToken middleware would also check for the X-CSRF-TOKEN request header. This token can be stored in an HTML meta tag:

<meta name="csrf-token" content="{{ csrf_token() }}">

headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')

How to disable/turn-off CSRF protection in Laravel?

Sometimes we may have to exclude a few routes from the CSRF protection. Laravel has CSRF protection enabled by default for all requests in laravel application. This is included and handled automatically to make life easier.

The default CSRF protection can be disabled using the VerifyCsrfToken middleware. The  app/Http/Middleware/VerifyCsrfToken class has an $except array property to specify the routes we want to exclude from CSRF protection.

protected $except = [


Further reading: