Vulnerabilities

What Is Cross-Site Request Forgery (CSRF)?

In Laravel Applications

Laravel includes built-in CSRF protection via the VerifyCsrfToken middleware. Every form must include the @csrf Blade directive, and AJAX requests must send the X-CSRF-TOKEN header. The protection works by generating a unique token per session and validating it on every POST, PUT, PATCH, and DELETE request.

Example

Without @csrf, an attacker could create a form on their site that submits a POST request to your Laravel app's /account/delete endpoint. If a logged-in user visits the attacker's page, their account would be deleted without their knowledge.

Related Terms

Cross-Site Scripting (XSS)

A vulnerability where an attacker injects malicious JavaScript into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as legitimate scripts, allowing the attacker to steal session tokens, redirect users, or modify page content.

Session Hijacking

An attack where an adversary takes over a valid user session by stealing or predicting the session identifier. Once the attacker has the session ID, they can impersonate the user and perform any action the user is authorized to do.

Security Headers

HTTP response headers that instruct browsers how to handle your website's content securely. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by telling the browser what actions are allowed.

Related Articles

The Hidden Security Risks in Your Laravel Application, and How to Fix Them

Learn the top security practices to protect your Laravel applications from common vulnerabilities and threats.