Laravel | CSRF Protection

Cross-Site Request Forgery (CSRF) is a type of attack that performed by the attacker to send requests to a system with the help of an authorized user who is trusted by the system.

Laravel provides protection with the CSRF attacks by generating a CSRF token. This CSRF token is generated automatically for each user. This token is nothing but a random string that is managed by the Laravel application to verify the user requests.

How to Use: This CSRF token protection can be applied to any HTML form in Laravel application by specifying a hidden form field of CSRF token. The requests are validated automatically by the CSRF VerifyCsrfToken middleware.



There are three different ways in which you can do this.

  1. @csrf
  2. csrf_field()
  3. csrf_token()

@csrf: This is a blade template directive for generating the hidden input field in the HTML form.

  • Syntax:
    <form method="POST">
      @csrf  // Generate hidden input field
      .....
      .....
    </form>
  • Example:
    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    <!DOCTYPE html>
    <html>
        <head>
            <title>Laravel | CSRF Protection</title>
        </head>
        <body>
            <section>
                <h1>CSRF Protected HTML Form</h1>
                <form method="POST">
                    @csrf
                      
                    <input type="text" name="username" 
                                                placeholder="Username">
                    <input type="password" name="password" 
                                                placeholder="Password">
                    <input type="submit" name="submit" value="Submit">
                </form>
            </section>
        </body>
    </html>

    chevron_right

    
    

csrf_field(): This function can be used to generate the hidden input field in the HTML form.

Note: This function should be written inside double curly braces.

  • Syntax:
    <form method="POST"<
    
      // Generate hidden input field
      {{ csrf_field() }}  
      .....
      .....
    </form>
  • Example:
    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    <!DOCTYPE html>
    <html>
        <head>
            <title>Laravel | CSRF Protection</title>
        </head>
        <body>
            <section>
                <h1>CSRF Protected HTML Form</h1>
                <form method="POST">
                    {{ csrf_field() }}
                      
                    <input type="text" name="username" 
                                           placeholder="Username">
                    <input type="password" name="password"
                                           placeholder="Password">
                    <input type="submit" name="submit" 
                                                   value="Submit">
                </form>
            </section>
        </body>
    </html>

    chevron_right

    
    

csrf_token(): This function just gives a random string. This function does not generate the hidden input field.

Note: HTML input field should be written explicitly. This function should be written inside double curly braces.

  • Syntax:
    <form method="POST">
      <input type="hidden" name="_token" value="{{ csrf_token() }}">
      .....
      .....
    </form>
  • Example:
    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    <!DOCTYPE html>
    <html>
        <head>
            <title>Laravel | CSRF Protection</title>
        </head>
        <body>
            <section>
                <h1>CSRF Protected HTML Form</h1>
                <form method="POST">
                    <input type="hidden" name="_token" value="{{ csrf_token() }}">
                      
                    <input type="text" name="username" 
                                     placeholder="Username">
                    <input type="password" name="password"
                                     placeholder="Password">
                    <input type="submit" name="submit" 
                                             value="Submit">
                </form>
            </section>
        </body>
    </html>

    chevron_right

    
    

Output: The output is going to be the same for any of the above three ways to generate a CSRF token. The CSRF token field should be written/generated at the start of every HTML form, using any of the three ways, in a Laravel application.

Inspect Element Output:

Reference: https://laravel.com/docs/6.x/csrf



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.