Laravel's form forgery and CSRF protection

We know that the most popular API design specification currently is restFul API design. Restful has five common HTTP methods, namely: get, post, put, patch and delete. It is very easy to construct the get or post method using the html form, but the other three methods are not supported. But in laravel, you can use the other three methods mentioned above through form forgery technology.

Recommended tutorial: "laravel framework"

Preparation work

First we have to prepare Work well done. We need to create two routes: a form route and a route that accepts forms.

// 表单页
Route::get('form', function () {
    return view('form');
});

// 接受表单请求
Route::any('getform', function () {
    return \Illuminate\Support\Facades\Request::method();
});

At the beginning, we made the simplest get request form, the content is as follows:

<form method="get" action="/getform">
    <input type="submit" value="sub" />
</form>

After clicking the submit button, 'GET' appears in the browser, indicating that the get request was successfully sent and accepted. .

CSRF protection

Then, we change to the post method, then refresh and click the submit button to see what happens. You will find an error with "page expired" and status code 419. Why can't laravel accept post requests? Here we will introduce laravel's default CSRF protection mechanism.

In order to prevent cross-site request forgery attacks, laravel provides CSRF token protection. Therefore, for all methods except the get method request, the reader needs to add the CSRF token to the form, as follows:

<input type="hidden" name="_token" value="{{csrf_token()}}">

It also has an abbreviation method, as follows:

@csrf

Turn off the CSRF protection function

It is generally not recommended to turn off the CSRF function of the entire site. It is very simple to turn it off, just comment out the

\App\Http\Middleware\VerifyCsrfToken::class

line in the Kernel.php file.

CSRF whitelist

Often we need to set a group of URLs that do not require CSRF protection, such as API interfaces provided by third parties, we It is hoped that all external API interfaces will not require CSRF protection. Then, you can use the CSRF whitelist function to set the whitelist in the app/Http/Middleware/VerifyCsrfToken.php file. As follows:

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        /* 这里是白名单列表 */
        'http://example.com/api/*',
        'api/*',
        'a/b/*'
    ];
}

Note: To facilitate testing, the csrf function will be automatically turned off when testing the environment

##Form forgery

After learning the CSRF protection mechanism, let’s take a look at how to forge the form. It is also very simple to forge a form. You only need to add

<input type="hidden" name="_method" value="PUT">

or abbreviated to

@method('PUT')

in the form. The following is a form for forging a put request

    @csrf
    @method('PUT')
    

The above is the detailed content of Laravel's form forgery and CSRF protection. For more information, please follow other related articles on the PHP Chinese website!