Skip to content

Vendor-neutral, engineer-written explanations. Clear definitions first, then practical steps with real examples — no fluff.

What is CSRF protection in Laravel?

SB
Written by StageBit Engineering Team
Updated January 2026 2 min readVerified by engineers

CSRF (Cross-Site Request Forgery) protection is a security feature that prevents attackers from performing unauthorized actions on behalf of authenticated users. Laravel enables CSRF protection by default to ensure that all state-changing requests come from a trusted source.

What is CSRF?

A CSRF attack occurs when a logged-in user is tricked into submitting a request they did not intend to make. Because browsers automatically send session cookies, the server may treat the request as legitimate unless CSRF protection is in place.

How CSRF Attacks Happen

  1. A user logs into a trusted website.
  2. The user visits a malicious website or clicks a hidden link.
  3. The malicious site sends a request to the trusted application.
  4. If CSRF protection is missing, the action is executed using the user’s session.

How Laravel Prevents CSRF Attacks

Laravel protects against CSRF attacks by using a unique token tied to each user session. This token must be included with every request that modifies server data.

CSRF Middleware

In Laravel 12, CSRF protection is handled by the ValidateCsrfToken middleware. It automatically verifies that the CSRF token sent with the request matches the token stored in the user’s session.

CSRF Tokens in Forms

All HTML forms that send POST, PUT, PATCH, or DELETE requests must include a CSRF token. 

<form method="POST" action="/profile">
  @csrf
  <button type="submit">Save</button>
</form>

CSRF Tokens in AJAX Requests

For AJAX or SPA requests, Laravel expects the CSRF token to be sent in a request header. The token is automatically stored in the XSRF-TOKEN cookie. 

headers: {
  'X-CSRF-TOKEN': document
    .querySelector('meta[name="csrf-token"]')
    .getAttribute('content')
}

Token Validation

If the CSRF token is missing or invalid, Laravel immediately blocks the request and returns a 419 Page Expired response. This prevents unauthorized actions from being executed.

Safe HTTP Methods

Laravel does not require CSRF tokens for read-only requests such as GET, HEAD, and OPTIONS. These methods are considered safe because they should not modify server data.

Additional Protection with Cookies

Laravel also configures session cookies with the SameSite attribute (set to Lax by default). This modern browser feature adds an extra layer of protection by blocking cross-site requests in many CSRF scenarios.

Excluding Specific Routes

Some routes, such as external webhooks or APIs, may not require CSRF protection. In Laravel 12, these routes can be excluded safely during application bootstrap, but this should only be done for trusted endpoints.

Best Practices for CSRF Protection

  • Always keep CSRF protection enabled for web routes
  • Include CSRF tokens in all forms and AJAX requests
  • Never disable CSRF protection globally
  • Exclude routes only when absolutely necessary
  • Use HTTPS along with CSRF protection

Conclusion

CSRF protection prevents attackers from abusing authenticated user sessions. Laravel’s token-based approach, combined with middleware validation and secure cookies, ensures that only intentional and trusted requests are processed. When used correctly, it significantly strengthens application security.

Related Answers

Laravel Common Issues With Laravel Deployment And Their Solution Laravel How to Optimize a Laravel Project’s Performance? Laravel What Are Some Recommended Hosting Providers For Laravel? Laravel How Do I Deploy a Laravel Application?

Was this answer helpful?

Your feedback helps us improve our answers.

Still need help?

Talk to our Laravel experts

We've handled GDPR/CCPA compliance for dozens of EU & US Laravel.

Talk to Laravel Experts

Tell us more about your brand!

Rohit Kundale, Our VP of Sales and Marketing is ready to meet with your team.