Laravel 12 CSRF Protection: Why It’s Important for Your Web App

If you're building a web application with Laravel, you’ve probably heard about CSRF protection. But what exactly is it, and why does Laravel enforce it by default?

In this blog, we’ll break down CSRF (Cross-Site Request Forgery) protection in Laravel 12 in simple terms. Whether you're a beginner or just need a refresher, this guide will help you understand why CSRF protection is crucial for your app’s security.

What is CSRF?

CSRF (Cross-Site Request Forgery) is a type of malicious attack where an unauthorized command is sent from a user that the website trusts.

Example Scenario:

1. You log in to your online banking website.
2. Without logging out, you visit another (malicious) website.
3. That malicious site secretly sends a request to your bank to transfer money.
4. Since you're still logged in, the bank executes the request, thinking it’s legitimate.

This is a CSRF attack—the attacker tricks your browser into performing actions without your consent.

How Laravel 12 Protects Against CSRF

Laravel makes CSRF protection simple by automatically generating and verifying CSRF tokens.

How It Works:

1. Token Generation: Laravel creates a unique CSRF token for each active user session.
2. Token Submission: When a form is submitted, this token is sent along with the request (usually as a hidden field).
3. Token Verification: Laravel checks if the submitted token matches the one stored in the session. If not, the request is rejected.

Example in a Laravel Form:

<form method="POST" action="/submit">
    @csrf <!-- This generates the hidden CSRF token -->
    <input type="text" name="email">
    <button type="submit">Submit</button>
</form>

When submitted, Laravel checks the @csrf token to ensure the request is legitimate.

Why is CSRF Protection Important?

1. Prevents Unauthorized Actions

• Without CSRF protection, attackers could trick users into submitting forms (e.g., changing passwords, making payments).

2. Required for State-Changing Requests

• Laravel applies CSRF protection to POST, PUT, PATCH, and DELETE routes because these modify data.

3. Built-in Security for Your Users

• Even if users are logged in, attackers can’t forge requests without the correct token.

4. Laravel Makes It Easy

• You don’t need to manually validate tokens—just use @csrf in forms, and Laravel handles the rest.

When to Exclude CSRF Protection (Rare Cases)

Sometimes, you might need to disable CSRF for certain routes (e.g., API endpoints). You can do this in app/Http/Middleware/VerifyCsrfToken.php:

protected $except = [
    'api/webhook', // Exclude a specific route
];

⚠️ Warning: Only disable CSRF if you have other security measures (like API tokens).

Conclusion

CSRF protection in Laravel 12 is a must-have security feature that prevents attackers from exploiting user sessions. By simply adding @csrf to your forms, you ensure that only legitimate requests are processed.

Best Practices:

✔ Always use @csrf in forms.
✔ Never disable CSRF unless absolutely necessary.
✔ Keep Laravel updated for the latest security fixes.

By understanding and implementing CSRF protection, you’re making your Laravel app more secure for your users! �

Got questions? Drop them in the comments below!