VerifyCsrfToken is a middleware in Laravel to prevent CSRF attacks. Its core mechanism is to ensure that the request source is legitimate by verifying the CSRF Token in the request. 1. It generates a unique token when the user accesses the form page and embeds the form; 2. Verify that the token is consistent when submitting, otherwise the request will be rejected; 3. Mainly verify POST, PUT, PATCH, DELETE requests, and GET requests do not verify by default; 4. You can skip verification by adding routes in the $except attribute, but use it with caution; 5. It is recommended to use Sanctum or Passport to manage the token for SPA or API scenarios.
VerifyCsrfToken is a middleware in the Laravel framework used to prevent cross-site request forgery (CSRF) attacks. Simply put, it ensures that the request is initiated by the user, rather than a malicious request induced by a third-party website by verifying whether the request contains a legitimate CSRF Token.
Laravel enables this middleware by default, and it is already included in the global middleware group. This means that most requests entering the application will be checked by it.
How does it work?
The core mechanism of VerifyCsrfToken is to use tokens to verify the legitimacy of the request source:
- Generate token : When a user visits a page with a form, Laravel automatically generates a unique CSRF token and embeds it into the form (usually a hidden field).
- Submission verification : When a user submits a form, the middleware checks whether the submitted token is consistent with the server-side storage. If inconsistent or missing, the request will be denied (returns a 419 or 500 error).
In addition to HTML forms, if you are sending POST requests in JavaScript (such as Axios), you need to configure the token delivery method, which is usually placed in the request header.
Which requests will be verified?
VerifyCsrfToken does not verify all requests. It mainly targets request methods that may modify state, such as:
-
POST -
PUT -
PATCH -
DELETE
Read-only requests like GET will not verify CSRF tokens by default, because they should not change the state of the application.
How to bypass the verification of certain routes?
Sometimes you may encounter interfaces that do not require CSRF verification, such as API routing or external service callback addresses. At this time, you can skip the verification by:
- Open
App\Http\Middleware\VerifyCsrfTokenclass - Add the route path to exclude in
$exceptproperty
protected $except = [
'api/*',
'webhook/stripe',
];In this way, requests under these paths will not be restricted by VerifyCsrfToken.
It should be noted that skipping CSRF verification can pose security risks and should only be used if necessary.
Some details in actual development
- If you are developing a SPA (such as Vue Laravel API), it is recommended to use Laravel's
sanctumorpassportto handle authentication and token management instead of relying on traditional CSRF tokens. - When using the Blade template engine, you can quickly insert the CSRF Token field using the
@csrfdirective. - For AJAX requests, make sure the front-end correctly carries the
_tokenparameter, or setXSRF-TOKENrequest header.
Basically that's it. VerifyCsrfToken is a very basic but very critical security protection mechanism. Although it doesn't seem complicated, it is easy to ignore some details in actual development and lead to errors.
The above is the detailed content of What is the VerifyCsrfToken middleware?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to use middleware for data recovery in Laravel
Nov 02, 2023 pm 02:12 PM
Laravel is a popular PHP web application framework that provides many fast and easy ways to build efficient, secure and scalable web applications. When developing Laravel applications, we often need to consider the issue of data recovery, that is, how to recover data and ensure the normal operation of the application in the event of data loss or damage. In this article, we will introduce how to use Laravel middleware to implement data recovery functions and provide specific code examples. 1. What is Lara?
How to handle form validation using middleware in Laravel
Nov 02, 2023 pm 03:57 PM
How to use middleware to handle form validation in Laravel, specific code examples are required Introduction: Form validation is a very common task in Laravel. In order to ensure the validity and security of the data entered by users, we usually verify the data submitted in the form. Laravel provides a convenient form validation function and also supports the use of middleware to handle form validation. This article will introduce in detail how to use middleware to handle form validation in Laravel and provide specific code examples.
What is the principle of tomcat middleware
Dec 27, 2023 pm 04:40 PM
The principle of tomcat middleware is implemented based on Java Servlet and Java EE specifications. As a Servlet container, Tomcat is responsible for processing HTTP requests and responses and providing the running environment for Web applications. The principles of Tomcat middleware mainly involve: 1. Container model; 2. Component architecture; 3. Servlet processing mechanism; 4. Event listening and filters; 5. Configuration management; 6. Security; 7. Clustering and load balancing; 8. Connector technology; 9. Embedded mode, etc.
Cross-site scripting (XSS) and cross-site request forgery (CSRF) protection in Laravel
Aug 13, 2023 pm 04:43 PM
Cross-site scripting (XSS) and cross-site request forgery (CSRF) protection in Laravel With the development of the Internet, network security issues have become more and more serious. Among them, Cross-SiteScripting (XSS) and Cross-SiteRequestForgery (CSRF) are one of the most common attack methods. Laravel, as a popular PHP development framework, provides users with a variety of security mechanisms
How to use middleware for response transformation in Laravel
Nov 03, 2023 am 09:57 AM
How to use middleware for response conversion in Laravel Middleware is one of the very powerful and practical features in the Laravel framework. It allows us to process requests and responses before the request enters the controller or before the response is sent to the client. In this article, I will demonstrate how to use middleware for response transformation in Laravel. Before starting, make sure you have Laravel installed and a new project created. Now we will follow these steps: Create a new middleware Open
How to use middleware to set up cross-domain resource sharing (CORS) in the Slim framework
Jul 30, 2023 pm 08:34 PM
How to set up Cross-Origin Resource Sharing (CORS) using middleware in the Slim framework Cross-Origin Resource Sharing (CORS) is a mechanism that allows the server to set some additional information in the HTTP response header to tell the browser whether Allow cross-domain requests. In some projects with front-end and back-end separation, the CORS mechanism can be used to realize the front-end's cross-domain request for the back-end interface. When using the Slim framework to develop REST API, we can use middleware (Middleware)
How to use middleware for data acceleration in Laravel
Nov 02, 2023 am 09:40 AM
How to use middleware for data acceleration in Laravel Introduction: When developing web applications using the Laravel framework, data acceleration is the key to improving application performance. Middleware is an important feature provided by Laravel that handles requests before they reach the controller or before the response is returned. This article will focus on how to use middleware to achieve data acceleration in Laravel and provide specific code examples. 1. What is middleware? Middleware is a mechanism in the Laravel framework. It is used
PHP Framework Security Guide: How to Prevent CSRF Attacks?
Jun 01, 2024 am 10:36 AM
PHP Framework Security Guide: How to Prevent CSRF Attacks? A Cross-Site Request Forgery (CSRF) attack is a type of network attack in which an attacker tricks a user into performing unintended actions within the victim's web application. How does CSRF work? CSRF attacks exploit the fact that most web applications allow requests to be sent between different pages within the same domain name. The attacker creates a malicious page that sends requests to the victim's application, triggering unauthorized actions. How to prevent CSRF attacks? 1. Use anti-CSRF tokens: Assign each user a unique token, store it in the session or cookie. Include a hidden field in your application for submitting that token
