Skip to main content

Laravel – CSRF Protection

Laravel – CSRF Protection

CSRF refers to Cross Site Forgery attacks on web applications. CSRF attacks are the unauthorized activities which the authenticated users of the system perform. As such, many web applications are prone to these attacks.
Laravel offers CSRF protection in the following way −
Laravel includes an in built CSRF plug-in, that generates tokens for each active user session. These tokens verify that the operations or requests are sent by the concerned authenticated user.

Implementation

The implementation of CSRF protection in Laravel is discussed in detail in this section. The following points are notable before proceeding further on CSRF protection −
  • CSRF is implemented within HTML forms declared inside the web applications. You have to include a hidden validated CSRF token in the form, so that the CSRF protection middleware of Laravel can validate the request. The syntax is shown below −
    • You can conveniently build JavaScript driven applications using JavaScript HTTP library, as this includes CSRF token to every outgoing request.
    • The file namely resources/assets/js/bootstrap.js registers all the tokens for Laravel applications and includes meta tag which stores csrf-token with Axios HTTP library.

    Form without CSRF token

    Consider the following lines of code. They show a form which takes two parameters as input: email and message.
    The result of the above code is the form shown below −
    Contact Form
    The form shown above will accept any input information from an authorized user. This may make the web application prone to various attacks.
    Please note that the submit button includes functionality in the controller section. The postContact function is used in controllers for that associated views. It is shown below −
    Observe that the form does not include any CSRF tokens so the sensitive information shared as input parameters are prone to various attacks.

    Form with CSRF token

    The following lines of code shows you the form re-designed using CSRF tokens −

    The output achieved will return JSON with a token as given below −

    This is the CSRF token created on clicking the submit button.

Popular posts from this blog

Laravel – Blade Templates

Laravel – Blade Templates Laravel 5.1 introduces the concept of using  Blade , a templating engine to design a unique layout. The layout thus designed can be used by other views, and includes a consistent design and structure. When compared to other templating engines, Blade is unique in the following ways − It does not restrict the developer from using plain PHP code in views. The blade views thus designed, are compiled and cached until they are modified. The complete directory structure of Laravel is shown in the screenshot given here. You can observe that all views are stored in the  resources/views  directory and the default view for Laravel framework is  welcome.blade.php . Please note that other blade templates are also created similarly. Steps for Creating a Blade Template Layout You will have to use the following steps to create a blade template layout − Step 1 Create a layout folder inside the  resources/views  folder. We are...
Read more

What is Laravel Framework?

What is Laravel Framework? Laravel is a free, open-source PHP web framework, created by Taylor Otwell and intended for the development of web applications following the model–view–controller (MVC) architectural pattern.
Read more

What is routing and how, and what are the different ways to write it?

What is routing and how, and what are the different ways to write it? All Laravel routes are defined in your route files, which are located in the routes directory. These files are automatically loaded by the framework. The routes/web.php file defines routes that are for your web interface. These routes are assigned the web middleware group, which provides features like session state and CSRF protection. The routes in routes/api.php are stateless and are assigned the api middleware group. For most applications, you will begin by defining routes in your routes/web.php file.
Read more