Skip to content
Related Articles

Related Articles

Improve Article

Laravel | CSRF Protection

  • Last Updated : 30 Nov, 2019
Geek Week

Cross-Site Request Forgery (CSRF) is a type of attack that performed by the attacker to send requests to a system with the help of an authorized user who is trusted by the system.

Laravel provides protection with the CSRF attacks by generating a CSRF token. This CSRF token is generated automatically for each user. This token is nothing but a random string that is managed by the Laravel application to verify the user requests.

How to Use: This CSRF token protection can be applied to any HTML form in Laravel application by specifying a hidden form field of CSRF token. The requests are validated automatically by the CSRF VerifyCsrfToken middleware.

There are three different ways in which you can do this.

  1. @csrf
  2. csrf_field()
  3. csrf_token()

@csrf: This is a blade template directive for generating the hidden input field in the HTML form.



  • Syntax:
    <form method="POST">
      @csrf  // Generate hidden input field
      .....
      .....
    </form>
  • Example:




    <!DOCTYPE html>
    <html>
        <head>
            <title>Laravel | CSRF Protection</title>
        </head>
        <body>
            <section>
                <h1>CSRF Protected HTML Form</h1>
                <form method="POST">
                    @csrf
                      
                    <input type="text" name="username" 
                                                placeholder="Username">
                    <input type="password" name="password" 
                                                placeholder="Password">
                    <input type="submit" name="submit" value="Submit">
                </form>
            </section>
        </body>
    </html>

csrf_field(): This function can be used to generate the hidden input field in the HTML form.

Note: This function should be written inside double curly braces.

  • Syntax:
    <form method="POST"<
    
      // Generate hidden input field
      {{ csrf_field() }}  
      .....
      .....
    </form>
  • Example:




    <!DOCTYPE html>
    <html>
        <head>
            <title>Laravel | CSRF Protection</title>
        </head>
        <body>
            <section>
                <h1>CSRF Protected HTML Form</h1>
                <form method="POST">
                    {{ csrf_field() }}
                      
                    <input type="text" name="username" 
                                           placeholder="Username">
                    <input type="password" name="password"
                                           placeholder="Password">
                    <input type="submit" name="submit" 
                                                   value="Submit">
                </form>
            </section>
        </body>
    </html>

csrf_token(): This function just gives a random string. This function does not generate the hidden input field.

Note: HTML input field should be written explicitly. This function should be written inside double curly braces.

  • Syntax:
    <form method="POST">
      <input type="hidden" name="_token" value="{{ csrf_token() }}">
      .....
      .....
    </form>
  • Example:




    <!DOCTYPE html>
    <html>
        <head>
            <title>Laravel | CSRF Protection</title>
        </head>
        <body>
            <section>
                <h1>CSRF Protected HTML Form</h1>
                <form method="POST">
                    <input type="hidden" name="_token" value="{{ csrf_token() }}">
                      
                    <input type="text" name="username" 
                                     placeholder="Username">
                    <input type="password" name="password"
                                     placeholder="Password">
                    <input type="submit" name="submit" 
                                             value="Submit">
                </form>
            </section>
        </body>
    </html>

Output: The output is going to be the same for any of the above three ways to generate a CSRF token. The CSRF token field should be written/generated at the start of every HTML form, using any of the three ways, in a Laravel application.

Inspect Element Output:

Reference: https://laravel.com/docs/6.x/csrf




My Personal Notes arrow_drop_up
Recommended Articles
Page :