Cross-Site Request Forgery (CSRF) is a type of attack that performed by the attacker to send requests to a system with the help of an authorized user who is trusted by the system.
Laravel provides protection with the CSRF attacks by generating a CSRF token. This CSRF token is generated automatically for each user. This token is nothing but a random string that is managed by the Laravel application to verify the user requests.
How to Use: This CSRF token protection can be applied to any HTML form in Laravel application by specifying a hidden form field of CSRF token. The requests are validated automatically by the CSRF VerifyCsrfToken middleware.
There are three different ways in which you can do this.
- @csrf
- csrf_field()
- csrf_token()
@csrf: This is a blade template directive for generating the hidden input field in the HTML form.
- Syntax:
<form method="POST"> @csrf // Generate hidden input field ..... ..... </form>
- Example:
<!DOCTYPE html><html><head><title>Laravel | CSRF Protection</title></head><body><section><h1>CSRF Protected HTML Form</h1><formmethod="POST">@csrf<inputtype="text"name="username"placeholder="Username"><inputtype="password"name="password"placeholder="Password"><inputtype="submit"name="submit"value="Submit"></form></section></body></html>
csrf_field(): This function can be used to generate the hidden input field in the HTML form.
Note: This function should be written inside double curly braces.
- Syntax:
<form method="POST"< // Generate hidden input field {{ csrf_field() }} ..... ..... </form> - Example:
<!DOCTYPE html><html><head><title>Laravel | CSRF Protection</title></head><body><section><h1>CSRF Protected HTML Form</h1><formmethod="POST">{{ csrf_field() }}<inputtype="text"name="username"placeholder="Username"><inputtype="password"name="password"placeholder="Password"><inputtype="submit"name="submit"value="Submit"></form></section></body></html>
csrf_token(): This function just gives a random string. This function does not generate the hidden input field.
Note: HTML input field should be written explicitly. This function should be written inside double curly braces.
- Syntax:
<form method="POST"> <input type="hidden" name="_token" value="{{ csrf_token() }}"> ..... ..... </form> - Example:
<!DOCTYPE html><html><head><title>Laravel | CSRF Protection</title></head><body><section><h1>CSRF Protected HTML Form</h1><formmethod="POST"><inputtype="hidden"name="_token"value="{{ csrf_token() }}"><inputtype="text"name="username"placeholder="Username"><inputtype="password"name="password"placeholder="Password"><inputtype="submit"name="submit"value="Submit"></form></section></body></html>
Output: The output is going to be the same for any of the above three ways to generate a CSRF token. The CSRF token field should be written/generated at the start of every HTML form, using any of the three ways, in a Laravel application.
Inspect Element Output:
Reference: https://laravel.com/docs/6.x/csrf
