HTTP Layer--csrf Protection

Introduction

Cross-site request forgery is a malicious vulnerability that exploits a trusted website by disguising a request from an authorized user. Laravel makes it easy to prevent applications from being spoofed by cross-site requests.

Laravel automatically generates a CSRF "token" for each valid user session that is managed by the app to verify that the authorized user and the originating requestor are the same person.

Any time you define an HTML form in a Laravel application, you need to introduce a CSRF token field into the form so that the CSRF protection middleware can verify the request normally. To generate a hidden input field that contains a CSRF token, you can use a helper function csrf_field to:

<form method= "POST" action= "/profile" >    {{Csrf_field ()}}    ...</form>

Middleware in the Middleware Group Web VerifyCsrfToken will automatically verify that the values entered for our request are token consistent with those stored in the Session token .

exclude the specified URL from CSRF protection

Sometimes we need to exclude some URLs from CSRF protection, for example, if you use Stripe to handle payments and go to their webhook system, then you need to exclude CSRF processor routing from Laravel Webhook protection, because Stripe doesn't know What token value should be passed to our defined route.

Usually we need to put this type of route in the file routes/web.php, outside of the middleware group web. In addition, you can VerifyCsrfToken add URLs you want to exclude in the middleware to $except an array of attributes:

<?phpnamespace App\http\middleware;use Illuminate\foundation\http\middleware\verifycsrftoken as BaseVerifier; Class Verifycsrftoken extends baseverifier{    /**     * URL excluded from CSRF validation     *     * @var array    */protected $except = [        ' stripe/* ',    ];}

X-csrf-token

In addition to validating the CSRF token as a POST parameter, you can also set the X-CSRF-Token request header for validation, the VerifyCsrfToken middleware examines the X-CSRF-TOKEN request header, first creates a meta tag and saves the token to the META tag:

<meta name= "Csrf-token" content= "{{Csrf_token ()}}" >

Then add the token to all the request headers in the JS library (such as JQuery), which provides an easy and convenient way to avoid CSRF attacks for AJAX-based applications:

$.ajaxsetup ({    headers: {        ' X-csrf-token ': $ (' meta[name= ' csrf-token ') '). attr (' content ')    }});

X-xsrf-token

Laravel also saves the CSRF token to the XSRF-TOKEN cookie named, which you can use to set the X-XSRF-TOKEN request header. Some JavaScript frameworks, such as Angular, are automatically set for you, and basically you don't need to set this value manually.

HTTP Layer--csrf Protection