- Laravel - Action URL
- Laravel - Dump Server
- Laravel - Pagination Customizations
- Laravel - Artisan Commands
- Laravel - Guest User Gates
- Understanding Release Process
- Laravel - Hashing
- Laravel - Encryption
- Laravel - Artisan Console
- Laravel - Authorization
- Laravel - Authentication
- Laravel - CSRF Protection
- Laravel - Contracts
- Laravel - Facades
- Laravel - Event Handling
- Laravel - Error Handling
- Laravel - Ajax
- Laravel - Sending Email
- Laravel - File Uploading
- Laravel - Validation
- Laravel - Session
- Laravel - Localization
- Laravel - Forms
- Laravel - Errors & Logging
- Laravel - Working With Database
- Laravel - Redirections
- Laravel - Blade Templates
- Laravel - Views
- Laravel - Response
- Laravel - Cookie
- Laravel - Request
- Laravel - Controllers
- Laravel - Namespaces
- Laravel - Middleware
- Laravel - Routing
- Laravel - Configuration
- Laravel - Application Structure
- Laravel - Installation
- Laravel - Overview
- Laravel - Home
Laravel Useful Resources
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Laravel - CSRF Protection
CSRF refers to Cross Site Forgery attacks on web apppcations. CSRF attacks are the unauthorized activities which the authenticated users of the system perform. As such, many web apppcations are prone to these attacks.
Laravel offers CSRF protection in the following way −
Laravel includes an in built CSRF plug-in, that generates tokens for each active user session. These tokens verify that the operations or requests are sent by the concerned authenticated user.
Implementation
The implementation of CSRF protection in Laravel is discussed in detail in this section. The following points are notable before proceeding further on CSRF protection −
CSRF is implemented within HTML forms declared inside the web apppcations. You have to include a hidden vapdated CSRF token in the form, so that the CSRF protection middleware of Laravel can vapdate the request. The syntax is shown below −
<form method = "POST" action="/profile"> {{ csrf_field() }} ... </form>
You can conveniently build JavaScript driven apppcations using JavaScript HTTP pbrary, as this includes CSRF token to every outgoing request.
The file namely resources/assets/js/bootstrap.js registers all the tokens for Laravel apppcations and includes meta tag which stores csrf-token with Axios HTTP pbrary.
Form without CSRF token
Consider the following pnes of code. They show a form which takes two parameters as input: email and message.
<form> <label> Email </label> <input type = "text" name = "email"/> <br/> <label> Message </label> <input type="text" name = "message"/> <input type = ”submit” name = ”submitButton” value = ”submit”> </form>
The result of the above code is the form shown below which the end user can view −
The form shown above will accept any input information from an authorized user. This may make the web apppcation prone to various attacks.
Please note that the submit button includes functionapty in the controller section. The postContact function is used in controllers for that associated views. It is shown below −
pubpc function postContact(Request $request) { return $request-> all(); }
Observe that the form does not include any CSRF tokens so the sensitive information shared as input parameters are prone to various attacks.
Form with CSRF token
The following pnes of code shows you the form re-designed using CSRF tokens −
<form method = ”post” > {{ csrf_field() }} <label> Email </label> <input type = "text" name = "email"/> <br/> <label> Message </label> <input type = "text" name = "message"/> <input type = ”submit” name = ”submitButton” value = ”submit”> </form>
The output achieved will return JSON with a token as given below −
{ "token": "ghfleifxDSUYEW9WE67877CXNVFJKL", "name": "TutorialsPoint", "email": "contact@tutorialspoint.com" }
This is the CSRF token created on cpcking the submit button.
Advertisements