CSRF attacks are to use the user to perform unauthorized operations. Laravel uses the middleware VerifyCsrfToken defense to verify the legality of requests using form hidden fields_token. 1. AJAX requests must carry XSRF-Token in the header; 2. CSRF is not enabled by API routing by default, middleware needs to be added manually; 3. Caching pages may cause tokens to be fixed, so you should avoid cache pages containing form or dynamic loading of tokens. Turning off CSRF is suitable for scenarios such as stateless APIs and using OAuth/JWT authentication, but other security mechanisms need to be reliable.

CSRF (Cross-site Request Forgery) attacks are a common security vulnerability in which attackers send malicious requests to authenticated applications by masturbating as users. In Laravel, the framework itself provides a complete set of mechanisms to prevent such attacks, but if you don't understand how it works or is used improperly, it may still leave hidden dangers.

What is a CSRF attack?

Simply put, CSRF uses the user's identity that is already logged in and performs certain operations without the user's knowledge. For example, if you log in to your account on the bank website and then visit a malicious website, the website will automatically initiate a transfer request. If the bank does not have any precautions, it may mistakenly believe that it was your own operation.

The reason why this attack is successful is that the browser will automatically bring you cookies to the target website, and the server cannot determine whether the request comes from you who initiated it.

How does Laravel defend against CSRF?

Laravel enables CSRF protection mechanism by default, which is mainly implemented through the middleware VerifyCsrfToken . Its core logic is:

• Add a hidden _token to each form, which is a random value generated by the server and bound to the current session.
• Laravel will verify that the token is legal every time a POST, PUT, PATCH, or DELETE request is submitted.
• If the token does not match or is missing, a TokenMismatchException exception will be thrown.

In addition, Laravel also provides the @csrf Blade directive to conveniently insert the token field, which is recommended for use in all non-GET forms.

What situations are easily overlooked?

Although Laravel has done a lot of protection, in actual development, the following points are prone to problems:

• AJAX request does not carry tokens : By default, Laravel requires AJAX requests to bring XSRF-Tokens in the header. You can automatically handle it by adding meta tags to the page and using libraries such as Axios:

   <meta name="csrf-token" content="{{ csrf_token() }}">

  Then set:

   $.ajaxSetup({
      headers: {
          'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
      }
  });

• API routing bypass CSRF verification : If you are using api.php routing file, it does not pass through the web middleware group by default, and CSRF verification will not be enabled. If you want the API interface to support session-based CSRF protection, you need to manually add related middleware.

• Caching pages leads to token fixation : If you cache the page containing CSRF token, it will cause multiple users to get the same token, which may cause security risks. Therefore, avoid cached pages containing forms, or use dynamically loading tokens.

When can CSRF be turned off?

In some scenarios, CSRF protection is indeed not required, such as:

• Build a stateless API (such as for mobile)
• Use OAuth or JWT authentication mechanism
• All requests are verified through token-based

At this time, you can choose to move the route out of the web middleware group, or directly exclude specific routes from the VerifyCsrfToken middleware.

However, once you decide to turn off CSRF, make sure you already have other more secure authentication mechanisms to replace it.

Basically that's it.

The above is the detailed content of Understanding and Preventing CSRF Attacks in Laravel?. For more information, please follow other related articles on the PHP Chinese website!