@csrf在Laravel中用於防止CSRF攻擊，其通過在表單中自動(dòng)生成一個(gè)包含安全令牌的隱藏字段實(shí)現(xiàn)保護(hù)。當(dāng)用戶提交表單時(shí)，服務(wù)器會(huì)驗(yàn)證該令牌，若不匹配則拒絕請(qǐng)求，從而阻止惡意站點(diǎn)偽造請(qǐng)求。你應(yīng)在所有執(zhí)行狀態(tài)更改操作的表單中使用@csrf，例如登錄、註冊(cè)、評(píng)論提交及修改數(shù)據(jù)庫(kù)數(shù)據(jù)的表單，即使某些表單看似“安全”也應(yīng)啟用保護(hù)。對(duì)於使用AJAX或前端框架的情況，可通過讀取XSRF-TOKEN cookie（如Axios自動(dòng)處理）或手動(dòng)從meta標(biāo)籤獲取令牌並在請(qǐng)求頭中添加X-CSRF-TOKEN來(lái)發(fā)送令牌。另外需要注意：不要無(wú)故禁用CSRF保護(hù)，API亦應(yīng)採(cǎi)用Sanctum或Passport等機(jī)制；長(zhǎng)期存在的頁(yè)面應(yīng)定期刷新令牌；SPA應(yīng)用建議結(jié)合Laravel Sanctum確保安全。總之，在表單中加入@csrf或在請(qǐng)求中攜帶令牌可有效防禦大多數(shù)CSRF攻擊，雖簡(jiǎn)單但易被忽略。

Laravel's @csrf Blade directive is one of the easiest and most effective ways to protect your forms from CSRF (Cross-Site Request Forgery) attacks. Here's how it works and how you should use it.

What does @csrf do in Laravel?

When you include @csrf inside a form in a Blade template, Laravel automatically generates a hidden input field containing a CSRF token. This token is a secure, randomly generated value that the server checks when the form is submitted. If the token doesn't match what Laravel expects, the request gets rejected — preventing malicious third-party sites from submitting requests on behalf of a logged-in user.

You'll typically see it used like this:

 <form method="POST" action="/submit">
    @csrf
    <!-- other form fields -->
</form>

Behind the scenes, Laravel turns that into something like:

 <input type="hidden" name="_token" value="randomly-generated-token-value">

This token is required for any POST, PUT, PATCH, or DELETE request handled by Laravel's routes that are protected by the VerifyCsrfToken middleware (which they are by default).

When and where to use @csrf

You should always use @csrf in forms that perform state-changing actions — especially when users are logged in. Here are some common scenarios:

• User login forms
• Registration forms
• Comment submission forms
• Any form that modifies data in the database

?? Important : Don't skip @csrf just because a form seems "safe". Even search forms or newsletter signups can be abused if not protected properly.

If you're using Vue, React, or another frontend framework that sends AJAX requests instead of traditional form submissions, you'll need to handle the CSRF token differently — more on that below.

How to handle CSRF tokens with JavaScript/AJAX

When you're not submitting forms the traditional way (like with Axios or Fetch API), you still need to send the CSRF token. Laravel makes this easy by setting a cookie called XSRF-TOKEN by default. Many HTTP clients (like Axios) will read this cookie automatically and set the X-XSRF-TOKEN header for you.

If you're manually managing headers, here's how you can get the token from the cookie and include it in your requests:

1. Get the token from the cookie:

    function getCookie(name) {
       let matches = document.cookie.match(new RegExp(
           "(?:^|; )" name.replace(/([\.$?*|{}\(\)\[\]\\\/\ ^])/g, '\\$1') "=([^;]*)"
       ));
       return matches ? decodeURIComponent(matches[1]) : undefined;
   }
   
   const token = getCookie('XSRF-TOKEN');

2. Send it with your request:

    fetch('/your-endpoint', {
       method: 'POST',
       headers: {
           'Content-Type': 'application/json',
           'X-CSRF-TOKEN': token
       },
       body: JSON.stringify({ /* your data */ })
   });

Alternatively, you can embed the token directly in your Blade view:

 <meta name="csrf-token" content="{{ csrf_token() }}">

Then grab it from there in your JS code.

Things to watch out for

• Never disable CSRF protection without a good reason – even APIs used by mobile apps should use some kind of token-based authentication (like Sanctum or Passport).
• CSRF tokens expire after a while , so if you have long-lived pages with forms, consider refreshing the token periodically.
• If you're building a SPA and using Laravel as an API backend, look into Laravel Sanctum for managing CSRF and session authentication securely.

基本上就這些。只要在表單裡加上@csrf ，或者在前端請(qǐng)求裡帶上token，就能擋住大多數(shù)CSRF 攻擊。不復(fù)雜但容易忽略。

以上是如何使用@CSRF Blade指令來(lái)防止CSRF攻擊？的詳細(xì)內(nèi)容。更多資訊請(qǐng)關(guān)注PHP中文網(wǎng)其他相關(guān)文章！