Knowledge
Disable CSRF in Laravel
#Laravel
Sometimes you need to disable the CSRF token verification in Laravel. A common use case is when you want to receive POST webhooks.
Published by Mark van Eijk on December 6, 2022 · 1 minute read
- What is CSRF?
- Examples of not needing CSRF
- Finding the CSRF middleware
- Disabling CSRF for every route
- Disabling CSRF for path using wildcard
- Disabling CSRF for specific paths
What is CSRF?
Cross-Site Request Forgery (CSRF) is a protection mechanism. This security is added and enabled by default in Laravel. CSRF protects your app for requests from outside your application. It uses a random generated token that only your application knows and therefore it can detect if a request is allowed by verifying this token.
Examples of not needing CSRF
Sometimes you don't need the extra protection or want to do something that makes CSRF verification difficult. In case of receiving webhooks it is sometimes necessary and also when working with incoming API requests for routes that are not defined in the routes/api.php
and therefore do not use the API middleware group.
I'm not going to argue the best practices here, but I am going to show you how you can disable the CSRF token check in Laravel.
Finding the CSRF middleware
From Laravel v5.1 you can find the CSRF verification middleware inside app/Http/Middleware/VerifyCsrfToken.php
. There you find a protected array variable $except
. This array you can fill in different ways, here are some options:
Disabling CSRF for every route
You can disable CSRF completely for all routes in your application using the asterisk (*) wildcard:
protected $except = [
'*',
];
Disabling CSRF for path using wildcard
Disabling a specific kind of path using a wildcard, is also possible:
protected $except = [
'webhooks/*',
];
Disabling CSRF for specific paths
In this example only specific non-wildcard paths are defined and exempt from CSRF protection:
protected $except = [
'webhooks/mailgun',
'webhooks/postmark',
];
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!
Related articles
How to use different PHP versions with Laravel Valet
Sometimes you need to disable the CSRF token verification in Laravel. A common use case is when you want to receive POST webhooks.
Disable cookies in Laravel
Sometimes you need to disable the CSRF token verification in Laravel. A common use case is when you want to receive POST webhooks.