Laravel - CSRF Protection

Donald Green Donald Green
Jan 14, 2022 - 06:12 Updated: Jan 14, 2022 - 06:13
0 43
Laravel - CSRF Protection

CSRF refers to site spoofing attacks on web applications. CSRF attacks are unauthorized actions performed by authenticated system users. Thus, many web applications are susceptible to these attacks.

Laravel offers CSRF protection as follows −

Laravel includes a built-in CSRF plugin that generates tokens for every active user session. These tokens verify that operations or requests are sent by the corresponding authenticated user.

Implementation

The implementation of CSRF protection in Laravel is discussed in detail in this section. The following points are notable before proceeding with CSRF protection −

  • CSRF is implemented in HTML forms declared inside web applications. You must include a hidden CSRF validated token in the form so that Laravel's CSRF protection middleware can validate the request. The syntax is shown below −

CSRF is implemented in HTML forms declared inside web applications. You must include a hidden CSRF validated token in the form so that Laravel's CSRF protection middleware can validate the request. The syntax is shown below −


   {{ csrf_field() }}
   ...

  • You can conveniently build JavaScript-driven applications using the JavaScript HTTP Library because it includes a CSRF token for every outgoing request.

  • The file, namely resources/assets/js/bootstrap.js, registers all tokens for Laravel applications and contains a meta tag that stores the csrf token with the Axios HTTP library .

You can conveniently build JavaScript-driven applications using the JavaScript HTTP Library because it includes a CSRF token for every outgoing request.

The file, namely resources/assets/js/bootstrap.js, registers all tokens for Laravel applications and contains a meta tag that stores the csrf token with the Axios HTTP library .

Form without CSRF token

Consider the following lines of code. They show a form that takes two parameters as input: email and message .

Email  type = "text" name = "email" /> 
 Message  type = "text" name = "message" / > type = ”submit” name = ”submitButton” value = ”submit” >

The result of the above code is the below shown form which the end user can view −

The form shown above will accept any input from an authorized user. This can make the web application susceptible to various attacks.

Note that the submit button enables functionality in the controller section. The postContact function is used in controllers for linked views. This is shown below −

public function postContact(Request $request) {
   return $request->all();
}

Please note that the form does not contain any CSRF tokens, so sensitive information passed as inputs is susceptible to various attacks.

Form with CSRF token

The following lines of code show a form redesigned using CSRF tokens.


   {{ csrf_field() }}

The resulting output will return JSON with token as shown below −

{
   "token": "ghfleifxDSUYEW9WE67877CXNVFJKL",
   "name": "TutorialsPoint",
   "email": "contact@coderlessons.com"

}This is the CSRF token generated when the submit button is clicked.