CSRF token protection is a security protocol that helps your site against attackers. But sometimes we need to disable our requirement. These requirements can be global or just for a few routes. In Laravel we can achieve this task using several methods let’s learn one by one.
- Disable CSRF Token Protection for Entire Application
- Disable CSRF Token Protection for Specific Routes
Before Starting this, let’s understand what is CSRF Token Protection.
What is CSRF Token Protection?
CSRF token Protection is one type of security protocol. In Laravel, It automatically generates a CSRF “token” for each active user session managed by the application. This token is used to verify that the authenticated user is the person making the requests to the application.
Disable CSRF Token Protection for Entire Application
To disable CSRF protection for an entire application we just need to disable VerifyCsrfToken middleware into our application’s Kernel file like the below example :
app\Http\Kernel.php
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
//commented below line
// \App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
// \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];In the above file, we just commented on one line that is loading middleware. Whenever we try to access the web portal, the request doesn’t validate the CSRF token.
Disable CSRF Token Protection for Specific Routes
In this example, we will disable it for some specific routes or route groups. There are two ways to disable CSRF protection for particular routes.
- By VerifyCsrfToken Middleware
- By Route Methods
Both methods are provided by Laravel. You can use it according to your requirements.
By VerifyCsrfToken Middleware
Let’s take some routes for our example.
Route::get('route1', ExampleController::class, 'route1');
Route::get('route2', ExampleController::class, 'route2');
Route::get('route3', ExampleController::class, 'route3');
Route::get('route4', ExampleController::class, 'route4');
Route::get('route5', ExampleController::class, 'route5');VerifyCsrfToken itself provides a way to disable CSRF protection by protected $except = []; array. Here we just have to pass specific routes. Check out the below example for it :
app\Http\Middleware\VerifyCsrfToken.php
<?php
namespace App\Http\Middleware;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
class VerifyCsrfToken extends Middleware
{
protected $except = [
'route1', 'route2', 'route3', 'route4', 'route5',
];
}By Route Methods
After Laravel 7.7 version it adds some new functions, one of them is withoutMiddleware. This function handles requests without particular middleware. In other terms, it takes array input and skips those inputs. Let’s take another example of this method :
Route::get('route1', ExampleController::class, 'route1')->withoutMiddleware([\App\Http\Middleware\VerifyCsrfToken::class]);
Route::get('route2', ExampleController::class, 'route2')->withoutMiddleware([\App\Http\Middleware\VerifyCsrfToken::class]);
Route::get('route3', ExampleController::class, 'route3')->withoutMiddleware([\App\Http\Middleware\VerifyCsrfToken::class]);
Route::get('route4', ExampleController::class, 'route4')->withoutMiddleware([\App\Http\Middleware\VerifyCsrfToken::class]);
Route::get('route5', ExampleController::class, 'route5')->withoutMiddleware([\App\Http\Middleware\VerifyCsrfToken::class]);As you can see, In this example we don’t need to change VerifyCsrfToken middleware. We can directly achieve our task by route function.
Please note that withoutMiddleware method can only remove route middleware and does not apply to global middleware.
