Skip to main content

Laravel – CSRF Protection

Laravel – CSRF Protection

CSRF refers to Cross Site Forgery attacks on web applications. CSRF attacks are the unauthorized activities which the authenticated users of the system perform. As such, many web applications are prone to these attacks.
Laravel offers CSRF protection in the following way −
Laravel includes an in built CSRF plug-in, that generates tokens for each active user session. These tokens verify that the operations or requests are sent by the concerned authenticated user.

Implementation

The implementation of CSRF protection in Laravel is discussed in detail in this section. The following points are notable before proceeding further on CSRF protection −
  • CSRF is implemented within HTML forms declared inside the web applications. You have to include a hidden validated CSRF token in the form, so that the CSRF protection middleware of Laravel can validate the request. The syntax is shown below −
    • You can conveniently build JavaScript driven applications using JavaScript HTTP library, as this includes CSRF token to every outgoing request.
    • The file namely resources/assets/js/bootstrap.js registers all the tokens for Laravel applications and includes meta tag which stores csrf-token with Axios HTTP library.

    Form without CSRF token

    Consider the following lines of code. They show a form which takes two parameters as input: email and message.
    The result of the above code is the form shown below −
    Contact Form
    The form shown above will accept any input information from an authorized user. This may make the web application prone to various attacks.
    Please note that the submit button includes functionality in the controller section. The postContact function is used in controllers for that associated views. It is shown below −
    Observe that the form does not include any CSRF tokens so the sensitive information shared as input parameters are prone to various attacks.

    Form with CSRF token

    The following lines of code shows you the form re-designed using CSRF tokens −

    The output achieved will return JSON with a token as given below −

    This is the CSRF token created on clicking the submit button.

Popular posts from this blog

What is Lumen?

What is Lumen? Lumen  is PHP micro-framework that built on Laravel’s top components.It is created by Taylor Otwell. It is perfect option for building Laravel based micro-services and fast REST API’s. It’s one of the fastest micro-frameworks available. You can install Lumen using composer by running below command 1 composer create - project -- prefer - dist laravel / lumen blog
Read more

Laravel – Response

Laravel – Response A web application responds to a user’s request in many ways depending on many parameters. This chapter explains you in detail about responses in Laravel web applications. Basic Response Laravel provides several different ways to return response. Response can be sent either from route or from controller. The basic response that can be sent is simple string as shown in the below sample code. This string will be automatically converted to appropriate HTTP response. Example Step 1  − Add the following code to  app/Http/routes.php  file. app/Http/routes.php 1 2 3 Route :: get ( '/basic_response' , function ( ) {    return 'Hello World' ; } ) ; Step 2  −  Visit  the following URL to test the basic response. 1 http : //localhost:8000/basic_response Step 3  − The output will appear as shown in the following image. Attaching Headers The response can be attached t...
Read more

Which template engine Laravel use ?

Which template engine Laravel use ? Laravel uses Blade Templating Engine. Blade is the simple, yet powerful templating engine provided with Laravel. Unlike other popular PHP templating engines, Blade does not restrict you from using plain PHP code in your views. In fact, all Blade views are compiled into plain PHP code and cached until they are modified, meaning Blade adds essentially zero overhead to your application. Blade view files use the .blade.php file extension and are typically stored in the resources/views directory.
Read more