How do I use the @csrf Blade directive to protect against CSRF attacks?
Jun 18, 2025 am 12:23 AM
@csrf is used in Laravel to prevent CSRF attacks, which is protected by automatically generating a hidden field containing a security token in the form. When a user submits a form, the server verifies the token and rejects the request if it does not match, thus preventing the malicious site from forging a request. You should use @csrf in all forms that perform state changes, such as forms that log in, register, comment submission, and modify database data, and protection should be enabled even if some forms appear to be "safe". For situations where AJAX or front-end frameworks are used, the token can be sent by reading the XSRF-TOKEN cookie (such as Axios automatically handles it) or manually obtaining the token from the meta tag and adding X-CSRF-TOKEN in the request header. Also note: Do not disable CSRF protection without reason, APIs should also adopt mechanisms such as Sanctum or Passport; long-standing pages should be refreshed regularly; SPA applications recommend combining Laravel Sanctum to ensure security. In short, adding @csrf to the form or carrying a token in the request can effectively defend against most CSRF attacks, which is simple but easily ignored.
Laravel's @csrf Blade directive is one of the easiest and most effective ways to protect your forms from CSRF (Cross-Site Request Forgery) attacks. Here's how it works and how you should use it.
What does @csrf do in Laravel?
When you include @csrf inside a form in a Blade template, Laravel automatically generates a hidden input field containing a CSRF token. This token is a secure, randomly generated value that the server checks when the form is submitted. If the token doesn't match what Laravel expects, the request gets rejected — preventing malicious third-party sites from submitting requests on behalf of a logged-in user.
You'll typically see it used like this:
<form method="POST" action="/submit">
@csrf
<!-- other form fields -->
</form>Behind the scenes, Laravel turns that into something like:
<input type="hidden" name="_token" value="randomly-generated-token-value">
This token is required for any POST, PUT, PATCH, or DELETE request handled by Laravel's routes that are protected by the VerifyCsrfToken middleware (which they are by default).
When and where to use @csrf
You should always use @csrf in forms that perform state-changing actions — especially when users are logged in. Here are some common scenarios:
- User login forms
- Registration forms
- Comment submission forms
- Any form that modifies data in the database
?? Important : Don't skip @csrf just because a form seems "safe". Even search forms or newsletter signups can be abused if not protected properly.
If you're using Vue, React, or another frontend framework that sends AJAX requests instead of traditional form submissions, you'll need to handle the CSRF token differently — more on that below.
How to handle CSRF tokens with JavaScript/AJAX
When you're not submitting forms the traditional way (like with Axios or Fetch API), you still need to send the CSRF token. Laravel makes this easy by setting a cookie called XSRF-TOKEN by default. Many HTTP clients (like Axios) will read this cookie automatically and set the X-XSRF-TOKEN header for you.
If you're manually managing headers, here's how you can get the token from the cookie and include it in your requests:
Get the token from the cookie:
function getCookie(name) { let matches = document.cookie.match(new RegExp( "(?:^|; )" name.replace(/([\.$?*|{}\(\)\[\]\\\/\ ^])/g, '\\$1') "=([^;]*)" )); return matches ? decodeURIComponent(matches[1]) : undefined; } const token = getCookie('XSRF-TOKEN');Send it with your request:
fetch('/your-endpoint', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-CSRF-TOKEN': token }, body: JSON.stringify({ /* your data */ }) });
Alternatively, you can embed the token directly in your Blade view:
<meta name="csrf-token" content="{{ csrf_token() }}">Then grab it from there in your JS code.
Things to watch out for
- Never disable CSRF protection without a good reason – even APIs used by mobile apps should use some kind of token-based authentication (like Sanctum or Passport).
- CSRF tokens expire after a while , so if you have long-lived pages with forms, consider refreshing the token periodically.
- If you're building a SPA and using Laravel as an API backend, look into Laravel Sanctum for managing CSRF and session authentication securely.
Basically that's it. Just add @csrf to the form or bring tokens to the front-end request to block most CSRF attacks. Not complicated but easy to ignore.
The above is the detailed content of How do I use the @csrf Blade directive to protect against CSRF attacks?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What are routes in Laravel, and how are they defined?
Jun 12, 2025 pm 08:21 PM
In Laravel, routing is the entry point of the application that defines the response logic when a client requests a specific URI. The route maps the URL to the corresponding processing code, which usually contains HTTP methods, URIs, and actions (closures or controller methods). 1. Basic structure of route definition: bind requests using Route::verb('/uri',action); 2. Supports multiple HTTP verbs such as GET, POST, PUT, etc.; 3. Dynamic parameters can be defined through {param} and data can be passed; 4. Routes can be named to generate URLs or redirects; 5. Use grouping functions to uniformly add prefixes, middleware and other sharing settings; 6. Routing files are divided into web.php, ap according to their purpose
What are policies in Laravel, and how are they used?
Jun 21, 2025 am 12:21 AM
InLaravel,policiesorganizeauthorizationlogicformodelactions.1.Policiesareclasseswithmethodslikeview,create,update,anddeletethatreturntrueorfalsebasedonuserpermissions.2.Toregisterapolicy,mapthemodeltoitspolicyinthe$policiesarrayofAuthServiceProvider.
How do I create new records in the database using Eloquent?
Jun 14, 2025 am 12:34 AM
To create new records in the database using Eloquent, there are four main methods: 1. Use the create method to quickly create records by passing in the attribute array, such as User::create(['name'=>'JohnDoe','email'=>'john@example.com']); 2. Use the save method to manually instantiate the model and assign values ??to save one by one, which is suitable for scenarios where conditional assignment or extra logic is required; 3. Use firstOrCreate to find or create records based on search conditions to avoid duplicate data; 4. Use updateOrCreate to find records and update, if not, create them, which is suitable for processing imported data, etc., which may be repetitive.
How do I run seeders in Laravel? (php artisan db:seed)
Jun 12, 2025 pm 06:01 PM
Thephpartisandb:seedcommandinLaravelisusedtopopulatethedatabasewithtestordefaultdata.1.Itexecutestherun()methodinseederclasseslocatedin/database/seeders.2.Developerscanrunallseeders,aspecificseederusing--class,ortruncatetablesbeforeseedingwith--trunc
What is the purpose of the artisan command-line tool in Laravel?
Jun 13, 2025 am 11:17 AM
Artisan is a command line tool of Laravel to improve development efficiency. Its core functions include: 1. Generate code structures, such as controllers, models, etc., and automatically create files through make: controller and other commands; 2. Manage database migration and fill, use migrate to run migration, and db:seed to fill data; 3. Support custom commands, such as make:command creation command class to implement business logic encapsulation; 4. Provide debugging and environment management functions, such as key:generate to generate keys, and serve to start the development server. Proficiency in using Artisan can significantly improve Laravel development efficiency.
How do I install Laravel on my operating system (Windows, macOS, Linux)?
Jun 19, 2025 am 12:31 AM
Yes,youcaninstallLaravelonanyoperatingsystembyfollowingthesesteps:1.InstallPHPandrequiredextensionslikembstring,openssl,andxmlusingtoolslikeXAMPPonWindows,HomebrewonmacOS,oraptonLinux;2.InstallComposer,usinganinstalleronWindowsorterminalcommandsonmac
How do I run tests in Laravel? (php artisan test)
Jun 13, 2025 am 12:02 AM
ToruntestsinLaraveleffectively,usethephpartisantestcommandwhichsimplifiesPHPUnitusage.1.Setupa.env.testingfileandconfigurephpunit.xmltouseatestdatabaselikeSQLite.2.Generatetestfilesusingphpartisanmake:test,using--unitforunittests.3.Writetestswithmeth
How do I define methods (actions) in a controller?
Jun 14, 2025 am 12:38 AM
Defining a method (also known as an action) in a controller is to tell the application what to do when someone visits a specific URL. These methods usually process requests, process data, and return responses such as HTML pages or JSON. Understanding the basic structure: Most web frameworks (such as RubyonRails, Laravel, or SpringMVC) use controllers to group related operations. Methods within each controller usually correspond to a route, i.e. the URL path that someone can access. For example, there may be the following methods in PostsController: 1.index() – display post list; 2.show() – display individual posts; 3.create() – handle creating new posts; 4.u
