Home > PHP Framework > Laravel > body text

Laravel - CSRF Protection

王林
Release: 2024-08-27 13:24:38
Original
634 people have browsed it

CSRF refers to Cross Site Forgery attacks on web applications. CSRF attacks are the unauthorized activities which the authenticated users of the system perform. As such, many web applications are prone to these attacks.

Laravel offers CSRF protection in the following way −

Laravel includes an in built CSRF plug-in, that generates tokens for each active user session. These tokens verify that the operations or requests are sent by the concerned authenticated user.

Implementation

The implementation of CSRF protection in Laravel is discussed in detail in this section. The following points are notable before proceeding further on CSRF protection −

  • CSRF is implemented within HTML forms declared inside the web applications. You have to include a hidden validated CSRF token in the form, so that the CSRF protection middleware of Laravel can validate the request. The syntax is shown below −

<form method = "POST" action="/profile">
   {{ csrf_field() }}
   ...
</form>
Copy after login
  • You can conveniently build JavaScript driven applications using JavaScript HTTP library, as this includes CSRF token to every outgoing request.

  • The file namely resources/assets/js/bootstrap.js registers all the tokens for Laravel applications and includes meta tag which stores csrf-token with Axios HTTP library.

Form without CSRF token

Consider the following lines of code. They show a form which takes two parameters as input: email and message.

<form>
   <label> Email </label>
      <input type = "text" name = "email"/>
      <br/>
   <label> Message </label> <input type="text" name = "message"/>
   <input type = ”submit” name = ”submitButton” value = ”submit”>
</form>
Copy after login

The result of the above code is the form shown below which the end user can view −

Contact Form

The form shown above will accept any input information from an authorized user. This may make the web application prone to various attacks.

Please note that the submit button includes functionality in the controller section. The postContact function is used in controllers for that associated views. It is shown below −

public function postContact(Request $request) {
   return $request-> all();
}
Copy after login

Observe that the form does not include any CSRF tokens so the sensitive information shared as input parameters are prone to various attacks.

Form with CSRF token

The following lines of code shows you the form re-designed using CSRF tokens −

<form method = ”post” >
   {{ csrf_field() }}
   <label> Email </label>
   <input type = "text" name = "email"/>
   <br/>
   <label> Message </label>
   <input type = "text" name = "message"/>
   <input type = ”submit” name = ”submitButton” value = ”submit”>
</form>
Copy after login

The output achieved will return JSON with a token as given below −

{
   "token": "ghfleifxDSUYEW9WE67877CXNVFJKL",
   "name": "TutorialsPoint",
   "email": "contact@tutorialspoint.com"
}
Copy after login

This is the CSRF token created on clicking the submit button.

The above is the detailed content of Laravel - CSRF Protection. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template