PHP Framework
Laravel
How to use middleware for Cross-site Request Forgery (CSRF) protection in Laravel
How to use middleware for Cross-site Request Forgery (CSRF) protection in Laravel
In modern web applications, cross-site request forgery (CSRF) attacks have become a common attack method. Laravel is a popular PHP framework that has a built-in CSRF protection mechanism. , using middleware can easily add CSRF protection to applications.
This article will introduce how to use middleware for CSRF protection in Laravel and provide specific code examples.
What is a Cross-Site Request Forgery (CSRF) attack?
Cross-Site Request Forgery attack, the English name is Cross-Site Request Forgery, referred to as CSRF, is an attack method that initiates malicious requests by forging user identities.
Attackers usually carry out CSRF attacks by tricking users into clicking on pages with malicious links or inserting malicious scripts into websites where the victim has logged in. When the victim is logged in, the attacker initiates a series of malicious requests (such as changing passwords, posting messages, etc.). These requests appear to be legitimate to the victim, but in fact these requests are initiated by the attacker. This will cause certain harm to the victim.
How to use middleware for CSRF protection in Laravel?
Laravel provides us with a very convenient mechanism to protect applications from CSRF attacks. The Laravel framework has a built-in CSRF protection mechanism, which can be implemented through middleware.
In Laravel, we use CSRF middleware to check whether the CSRF token on POST, PUT, DELETE requests is valid. By default, Laravel adds the VerifyCsrfToken middleware to your application and automatically checks whether the CSRF token for these requests is valid.
If the CSRF token is invalid, Laravel will throw a TokenMismatchException exception and provide a default error view. We can also customize error handling according to our own needs.
Configure CSRF token
Laravel will generate a CSRF token for the application in each user session. We can configure the application in the configuration file config/csrf.php Adjust the configuration of CSRF tokens. This configuration file allows you to configure the CSRF COOKIE and the name of the CSRF token in the request.
<?php
return [
/*
|--------------------------------------------------------------------------
| CSRF Cookie Name
|--------------------------------------------------------------------------
|
| The name of the cookie used to store the CSRF token.
|
*/
'cookie' => 'XSRF-TOKEN',
/*
|--------------------------------------------------------------------------
| CSRF Header Name
|--------------------------------------------------------------------------
|
| The name of the CSRF header used to store the CSRF token.
|
*/
'header' => 'X-XSRF-TOKEN',
/*
|--------------------------------------------------------------------------
| CSRF Token Expiration
|--------------------------------------------------------------------------
|
| The number of minutes that the CSRF token should be considered valid.
|
*/
'expire' => 60,
];Using CSRF Middleware
VerifyCsrfTokenMiddleware in Laravel will check whether the CSRF token is valid on any POST, PUT or DELETE request defined in the route . By default, the application's routes/web.php file will also use the VerifyCsrfToken middleware in addition to the web middleware.
You can add CSRF middleware in the middleware group for use in other routes in the application. In order to protect a route with middleware, we can add it to the route definition using the middleware method as follows:
Route::middleware(['web', 'csrf'])->group(function () {
//
});Custom CSRF error handling
Default case If an incorrect CSRF token is detected using the VerifyCsrfToken middleware, Laravel will throw a TokenMismatchException exception and provide a default error view.
We can try to catch CSRF exceptions and specify our own error handling methods in the app/Exceptions/Handler.php file. Here is an example of a custom CSRF exception handler:
<?php
namespace AppExceptions;
use Exception;
use IlluminateFoundationExceptionsHandler as ExceptionHandler;
use IlluminateSessionTokenMismatchException;
class Handler extends ExceptionHandler
{
/**
* A list of the exception types that should be reported.
*
* @var array
*/
protected $dontReport = [
TokenMismatchException::class,
];
/**
* Report or log an exception.
*
* @param Exception $exception
* @return void
*
* @throws Exception
*/
public function report(Exception $exception)
{
parent::report($exception);
}
/**
* Render an exception into an HTTP response.
*
* @param IlluminateHttpRequest $request
* @param Exception $exception
* @return IlluminateHttpResponse
*
* @throws Exception
*/
public function render($request, Exception $exception)
{
if ($exception instanceof TokenMismatchException) {
// 处理CSRF异常
return redirect()
->back()
->withInput($request->input())
->with('error', 'CSRF Token Mismatch');
}
return parent::render($request, $exception);
}
} In the above code, we catch the TokenMismatchException exception and use the with method to pass the error message Save to error flash data. Later, we can access this flash data in the view using the with method.
Finally, we can add a CSRF token field to the view for any form that requires submitting a POST, PUT, or DELETE request. The CSRF token field can be generated in the form using the csrf_field method as shown below:
<form method="POST" action="/example">
{{ csrf_field() }}
<!-- Your form fields go here... -->
<button type="submit">Submit</button>
</form>Summary
In this article, we have introduced how to use it in Laravel Middleware protects applications from CSRF attacks. We have effectively improved application security by configuring CSRF tokens, using the default VerifyCsrfToken middleware, and customizing CSRF error handling methods. I believe these technologies can help you build more secure web applications.
The above is the detailed content of How to use middleware for Cross-site Request Forgery (CSRF) protection in Laravel. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
Comparison of the latest versions of Laravel and CodeIgniter
Jun 05, 2024 pm 05:29 PM
The latest versions of Laravel 9 and CodeIgniter 4 provide updated features and improvements. Laravel9 adopts MVC architecture and provides functions such as database migration, authentication and template engine. CodeIgniter4 uses HMVC architecture to provide routing, ORM and caching. In terms of performance, Laravel9's service provider-based design pattern and CodeIgniter4's lightweight framework give it excellent performance. In practical applications, Laravel9 is suitable for complex projects that require flexibility and powerful functions, while CodeIgniter4 is suitable for rapid development and small applications.
PHP Framework Security Guide: How to Prevent CSRF Attacks?
Jun 01, 2024 am 10:36 AM
PHP Framework Security Guide: How to Prevent CSRF Attacks? A Cross-Site Request Forgery (CSRF) attack is a type of network attack in which an attacker tricks a user into performing unintended actions within the victim's web application. How does CSRF work? CSRF attacks exploit the fact that most web applications allow requests to be sent between different pages within the same domain name. The attacker creates a malicious page that sends requests to the victim's application, triggering unauthorized actions. How to prevent CSRF attacks? 1. Use anti-CSRF tokens: Assign each user a unique token, store it in the session or cookie. Include a hidden field in your application for submitting that token
How do the data processing capabilities in Laravel and CodeIgniter compare?
Jun 01, 2024 pm 01:34 PM
Compare the data processing capabilities of Laravel and CodeIgniter: ORM: Laravel uses EloquentORM, which provides class-object relational mapping, while CodeIgniter uses ActiveRecord to represent the database model as a subclass of PHP classes. Query builder: Laravel has a flexible chained query API, while CodeIgniter’s query builder is simpler and array-based. Data validation: Laravel provides a Validator class that supports custom validation rules, while CodeIgniter has less built-in validation functions and requires manual coding of custom rules. Practical case: User registration example shows Lar
Laravel - Artisan Commands
Aug 27, 2024 am 10:51 AM
Laravel - Artisan Commands - Laravel 5.7 comes with new way of treating and testing new commands. It includes a new feature of testing artisan commands and the demonstration is mentioned below ?
Which one is more beginner-friendly, Laravel or CodeIgniter?
Jun 05, 2024 pm 07:50 PM
For beginners, CodeIgniter has a gentler learning curve and fewer features, but covers basic needs. Laravel offers a wider feature set but has a slightly steeper learning curve. In terms of performance, both Laravel and CodeIgniter perform well. Laravel has more extensive documentation and active community support, while CodeIgniter is simpler, lightweight, and has strong security features. In the practical case of building a blogging application, Laravel's EloquentORM simplifies data manipulation, while CodeIgniter requires more manual configuration.
Laravel vs CodeIgniter: Which framework is better for large projects?
Jun 04, 2024 am 09:09 AM
When choosing a framework for large projects, Laravel and CodeIgniter each have their own advantages. Laravel is designed for enterprise-level applications, offering modular design, dependency injection, and a powerful feature set. CodeIgniter is a lightweight framework more suitable for small to medium-sized projects, emphasizing speed and ease of use. For large projects with complex requirements and a large number of users, Laravel's power and scalability are more suitable. For simple projects or situations with limited resources, CodeIgniter's lightweight and rapid development capabilities are more ideal.
Laravel vs CodeIgniter: Which framework is better for small projects?
Jun 04, 2024 pm 05:29 PM
For small projects, Laravel is suitable for larger projects that require strong functionality and security. CodeIgniter is suitable for very small projects that require lightweight and ease of use.
Which is the better template engine, Laravel or CodeIgniter?
Jun 03, 2024 am 11:30 AM
Comparing Laravel's Blade and CodeIgniter's Twig template engine, choose based on project needs and personal preferences: Blade is based on MVC syntax, which encourages good code organization and template inheritance. Twig is a third-party library that provides flexible syntax, powerful filters, extended support, and security sandboxing.
