CSRF in Laravel Applications
Laravel includes robust CSRF protection via the VerifyCsrfToken middleware and @csrf Blade directive. However, developers often weaken this by excluding routes in the $except array, misconfiguring Sanctum for SPAs, or forgetting to include tokens in AJAX requests.
Scan Your Laravel AppHow CSRF Manifests in Laravel
Laravel CSRF protection fails when: - Routes are added to the VerifyCsrfToken $except array without alternative protection - SPA frontends do not call the /sanctum/csrf-cookie endpoint before making requests - Forms miss the @csrf directive - AJAX requests do not send the X-XSRF-TOKEN header Laravel Sanctum provides CSRF protection for SPAs, but misconfiguration of SANCTUM_STATEFUL_DOMAINS is a common source of CSRF vulnerabilities.
Real-World Impact
A Laravel SaaS application excluded its entire /api prefix from CSRF verification to make the API work with a mobile app. The web frontend also used these same API routes with cookie auth. An attacker exploited this to create admin accounts through a CSRF attack targeting the existing admin.
Step-by-Step Fix
Include @csrf in all forms
The @csrf directive generates a hidden input with the CSRF token.
<!-- Always include @csrf in POST forms -->
<form method="POST" action="/profile">
@csrf
@method('PUT')
<input type="text" name="name" value="{{ $user->name }}">
<button type="submit">Update</button>
</form>Configure Sanctum for SPA CSRF
Properly set up Sanctum's stateful domains for SPA authentication.
// .env
SANCTUM_STATEFUL_DOMAINS=localhost:3000,yourdomain.com
SESSION_DOMAIN=.yourdomain.com
// Frontend: call csrf-cookie before auth requests
await fetch('https://api.yourdomain.com/sanctum/csrf-cookie', {
credentials: 'include',
});
// Then make authenticated requests
await fetch('https://api.yourdomain.com/api/profile', {
method: 'PUT',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
'X-XSRF-TOKEN': decodeURIComponent(getCookie('XSRF-TOKEN')),
},
body: JSON.stringify({ name: 'New Name' }),
});Minimize VerifyCsrfToken exceptions
Only exclude routes that have their own authentication mechanism.
// app/Http/Middleware/VerifyCsrfToken.php
class VerifyCsrfToken extends Middleware
{
// UNSAFE - excluding all API routes
// protected $except = ['/api/*'];
// SAFE - only exclude webhook with signature verification
protected $except = [
'stripe/webhook',
'github/webhook',
];
}Prevention Best Practices
1. Never exclude routes from VerifyCsrfToken without implementing alternative auth. 2. Always include @csrf in Blade forms. 3. For SPAs with Sanctum, configure SANCTUM_STATEFUL_DOMAINS correctly. 4. Send X-XSRF-TOKEN header in AJAX requests. 5. Use token-based auth for mobile APIs, cookie-based auth for web only.
How to Test
1. Check VerifyCsrfToken middleware for excluded routes. 2. Verify all Blade forms include @csrf. 3. Submit a cross-origin form to a non-excluded POST endpoint. 4. Check if AJAX requests send X-XSRF-TOKEN header. 5. Use Vibe App Scanner to detect CSRF weaknesses in your Laravel application.
Frequently Asked Questions
Does Laravel have built-in CSRF protection?
Yes. Laravel includes the VerifyCsrfToken middleware and @csrf Blade directive. CSRF protection is enabled by default for all POST, PUT, PATCH, and DELETE requests. The X-XSRF-TOKEN cookie is automatically set for JavaScript frameworks to use.
How does Sanctum handle CSRF for SPAs?
Sanctum uses cookie-based session authentication for SPAs on stateful domains. The SPA must first call /sanctum/csrf-cookie to get the XSRF-TOKEN cookie, then send it in the X-XSRF-TOKEN header with subsequent requests. Configure SANCTUM_STATEFUL_DOMAINS to specify which domains use this flow.
Should I exclude API routes from CSRF in Laravel?
Only if those routes use token-based authentication (Sanctum tokens, Passport tokens) exclusively. If any route accepts cookie-based authentication, it needs CSRF protection. Never exclude routes that serve both web and API clients with cookies.
Related Security Resources
Is Your Laravel App Vulnerable to CSRF?
VAS automatically scans for csrf vulnerabilities in Laravel applications and provides step-by-step remediation guidance with code examples.
Scans from $5, results in minutes. Get actionable fixes tailored to your Laravel stack.