The full form of CSRF is Cross-Site Request Forgery. It is one type of online attack in which the attacker sends requests as an authorized user to a system by gaining access information of a particular user of that system and performs different types of malicious activities by using the identity of that user. The impact of this attack depends on the victim’s privileges on the system. If the victim is a normal user then it will affect the personal data of the victim only. But if the victim is the administrator of the system then the attacker can damage the whole system. The users of any business website, social networking can be affected by this attack. This attack can be prevented easily by using Laravel CSRF protection to make the system more secure. Laravel generates CRSF token for each active user session automatically by which any request and approval are given to the authenticated user for the system. How Laravel CSRF Protection can be applied in the Laravel application is shown in this tutorial.
Pre-requisites:
Before starting this tutorial, you have to make sure that the Laravel is installed and working properly in the system. I have installed the following applications on the system to do this tutorial.
- Apache/2.4.41 (Ubuntu)
- PHP 7.4.3 (cli)
- mariadb Ver 15.1
- Laravel Framework 7.25.0
How to implement CSRF:
CSRF protection can be implemented in Laravel by using any HTML Form with a hidden form of CSRF token and the request from the user is validated by using CSRF VerifyCsrfToken middleware. Any of the following options can be used to generate a CSRF token.
A. @csrf
It is a blade directive to generate a token field that will use for verification. It generates a hidden input field.
B. csrf_token()
This function can be used in the meta tag and the hidden input field of the HTML form. It generates a random string as a CSRF token.
C. csrf_field()
This function creates a hidden field for the HTML form where it is used and generates CSRF token.
The uses of the above options are shown using HTML forms in the next section of the tutorial.
Use of @csrf:
Create a Laravel view file named csrf1.blade.php with the following HTML code where @csrf directive is used to generate CSRF token.
csrf1.blade.php
Laravel CSRF Protection Method-1
@csrf
Add the following route in the web.php file to load the view file in the browser. When the user will give csrf1 after the base URL then it will search csrf1.blade.php file in the view folder of the Laravel project.
Route::view(‘/csrf1’, ‘csrf1’);
Start the Apache server and run the following URL from the browser to load the view in the browser. Here, laravelpro is the laravel project name. You can also run the Laravel development server using PHP artisan command.
https://localhost/laravelpro/public/csrf1
If you inspect the page then you will get the output like below. Here, a hidden field with the value is generated automatically by @csrf directive.
Use of csrf_token():
Create a Laravel view file named csrf2.blade.php with the following HTML code where the csrf_token() function is used to generate CSRF token. This function is used as the value of the value attribute of the hidden field and it is used with two curly brackets.
csrf2.blade.php
Laravel CSRF Protection Method-2
Add the following route in the web.php file to load the view file in the browser. Like the first method, When the user will give csrf2 after the base URL then it will search csrf2.blade.php file in the view folder of the Laravel project.
Route::view(‘/csrf2’, ‘csrf2’);
Run the following URL from any browser like before to load the second view file.
https://localhost/laravelpro/public/csrf2
If you inspect the page then you will get the output like below. Here, the value of the hidden field is generated by using the csrf_token() function.
Use of csrf_field():
Create a Laravel view file named csrf3.blade.php with the following HTML code where the csrf_field() function is used to generate CSRF token. This function works like @csrf directive and you don’t need to add a hidden field in the HTML form. It is also used with two curly brackets like csrf_token() function.
csrf3.blade.php
Laravel CSRF Protection Method-3
{{ csrf_field() }}
Add the following route in the web.php file to load the view file in the browser. Like the first method, When the user will give csrf3 after the base URL then it will search csrf3.blade.php file in the view folder of the Laravel project.
Route::view(‘/csrf3’, ‘csrf3’);
Run the following URL from any browser like before to load the second view file.
https://localhost/laravelpro/public/csrf3
If you inspect the page then you will get the output like below. Here, the value of the hidden field is generated by using the csrf_field() function.
All three methods of generating CSRF token shown above generates the same token value for the same browser. When the attacker will send any request to access the content of any authenticated user who is online then VerifyCsrfToken middleware will match the request token and stored session token to validate the request before handling. In this way, the CSRF attack can be prevented easily in Laravel. This protection can be disabled from the Laravel by removing the entry of AppHttpMiddlewareVerifyCsrfToken of $middleware array from the file app/http/kernel.php.
Conclusion:
The unauthorized access can make a major impact on any application and damage the data of it properly. So, CSRF protection is very important to secure any application where the different types of transnational tasks are done. This tutorial will help the Laravel developers to know the ways to secure their application using CSRF protection.
About the author
Fahmida Yesmin
I am a trainer of web programming courses. I like to write article or tutorial on various IT topics. I have a YouTube channel where many types of tutorials based on Ubuntu, Windows, Word, Excel, WordPress, Magento, Laravel etc. are published: Tutorials4u Help.
