Solution: 1. Use Laravel to automatically generate a "CSRF Token" for each user Session. This Token can be used to verify whether the logged in user and the person who initiated the request are the same person. If not, the request will fail; 2 , provides a global helper function "csrf_token" to obtain the Token value, just add the token code in the view submission form, the syntax is "<...value php="" echo="">".
The operating environment of this article: Windows 10 system, Laravel version 9, Dell G3 computer.
Solution to csrf attacks in laravel
CSRF is the English abbreviation of Cross-site request forgery;
It is very difficult to avoid CSRF attacks in the Laravel framework Simple:
1. Laravel automatically generates a CSRF Token for each user Session. This Token can be used to verify whether the logged in user and the requester are the same person. If not, the request will fail. (The principle is the same as the verification code.)
2. Laravel provides a global helper function csrf_token to obtain the Token value, so you only need to add the following HTML code to the view submission form to include it in the request. Token:
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
How to avoid CSRF attacks in Laravel
Case: Implement csrf mechanism verification through cases
1. Create two routes, one for display Form (get), and handle requests (post)
Route::get('test6','Home\TestController@test6');Route::post('test7','Home\TestController@test7');
2. Create the required method
public function test6(){
return view('home.test.test6');
}
public function test7()
{
return "请求提交成功";
}
3. Create the required simple form
4. Submission effect (error page)
Conclusion: Through the case just now, it shows that the csrf verification mechanism in laravel is enabled by default.
5. Solve the error problem (how to pass csrf verification)
Solution: bring the token value required for csrf, and pass it to the subsequent method with the request
Simplification of the csrf_token method : {{csrf_field()}}
Specific expression:
The difference between the two:
Csrf_token only outputs token Value
Csrf_field outputs an entire input hidden field
How to choose when using it later: In most cases, you can choose according to the situation. However, there is a situation where the developer does not have the right to choose and must use csrf_token. In this case, the asynchronous form submission method is used.
Exclude exception routing from CSRF verification
Not all requests need to avoid CSRF attacks, such as requests to third-party APIs to obtain data.
You can set exceptions by adding the request URLs to be excluded to the $except property array in the VerifyCsrfToken (app/Http/Middleware/VerifyCsrfToken.php) middleware:
Set exceptions by writing configuration:
Single Route exclusion writing method
'home.test.test6',
Multiple elements are separated by "," and follow the array writing method.
'home.test.test6','home.test.test7'
If you need to exclude all routes and use csrf, you can write:
'*'
[Related recommendations: laravel video tutorial]
The above is the detailed content of Solution to csrf attack in laravel. For more information, please follow other related articles on the PHP Chinese website!
Beyond the Zoom Call: Creative Strategies for Connecting Distributed TeamsApr 26, 2025 am 12:24 AMToenhanceengagementandcohesionamongdistributedteamsbeyondZoom,implementthesestrategies:1)Organizevirtualcoffeebreaksforinformalchats,2)UseasynchronoustoolslikeSlackfornon-workdiscussions,3)Introducegamificationwithteamgamesorchallenges,and4)Encourage
What are the breaking changes in the latest Laravel version?Apr 26, 2025 am 12:23 AMLaravel10introducesseveralbreakingchanges:1)ItrequiresPHP8.1orhigher,2)TheRouteServiceProvidernowusesabootmethodforloadingroutes,3)ThewithTimestamps()methodonEloquentrelationshipsisdeprecated,and4)TheRequestclassnowpreferstherules()methodforvalidatio
The Productivity Paradox: Maintaining Focus and Motivation in Remote SettingsApr 26, 2025 am 12:17 AMTomaintainfocusandmotivationinremotework,createastructuredenvironment,managedigitaldistractions,fostermotivationthroughsocialinteractionsandgoalsetting,maintainwork-lifebalance,anduseappropriatetechnology.1)Setupadedicatedworkspaceandsticktoaroutine.
Building Trust from Afar: Fostering Collaboration in Distributed EnvironmentsApr 26, 2025 am 12:13 AMTofostercollaborationandtrustinremoteteams,implementthesestrategies:1)Establishregular,structuredcommunicationwithpersonalcheck-ins,2)Usecollaborativetoolsfortransparency,3)Recognizeandcelebrateachievements,and4)Fosteracultureoftrustandadaptability.
What are the key features of the latest Laravel version?Apr 26, 2025 am 12:01 AMLaravel's latest version of the main features include: 1. LaravelOctane improves application performance, 2. Improved model factory support relationships and state definitions, 3. Enhanced Artisan commands, 4. Improved error handling, 5. New Eloquent accessors and modifiers. These features significantly improve development efficiency and application performance, but need to be used with caution to avoid potential problems.
The Illusion of Inclusion: Addressing Isolation and Loneliness in Remote WorkApr 25, 2025 am 12:28 AMTocombatisolationandlonelinessinremotework,companiesshouldimplementregular,meaningfulinteractions,provideequalgrowthopportunities,andusetechnologyeffectively.1)Fostergenuineconnectionsthroughvirtualcoffeebreaksandpersonalsharing.2)Ensureremoteworkers
Laravel for Full-Stack Development: A Comprehensive GuideApr 25, 2025 am 12:27 AMLaravelispopularforfull-stackdevelopmentbecauseitoffersaseamlessblendofbackendpowerandfrontendflexibility.1)Itsbackendcapabilities,likeEloquentORM,simplifydatabaseinteractions.2)TheBladetemplatingengineallowsforclean,dynamicHTMLtemplates.3)LaravelMix
Video Conferencing Showdown: Choosing the Right Platform for Remote MeetingsApr 25, 2025 am 12:26 AMKey factors in choosing a video conferencing platform include user interface, security, and functionality. 1) The user interface should be intuitive, such as Zoom. 2) Security needs to be paid attention to, and Microsoft Teams provides end-to-end encryption. 3) Functions need to match requirements, GoogleMeet is suitable for short meetings, and CiscoWebex provides advanced collaboration tools.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
Zend Studio 13.0.1
Powerful PHP integrated development environment
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
Notepad++7.3.1
Easy-to-use and free code editor
