Utshab Roy

Laravel form submit without CSRF

Why needed

Well, to be honest, it's always good to use the CSRF token to submit a form to the system. It is a really good way to protect your site form malicious user to make an unexpected perform. However, there are certain point or case where you want to submit a form without CSRF token. For example, you want to embed a form in HTML for inside and outside users. Then they will not have the CSRF token with them.

Another example is, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.(source)

That's why, it is necessary to know how to submit a form without CSRF token in Laravel.

The process

The easiest way to submit a form without CSRF is to exclude the routes by adding their URIs to the $except property of the VerifyCsrfToken middleware.

First you have to go to the App\Http\Middleware\VerifyCsrfToken.php class. Then you have to change the $except property. By default it's a empty array. You have to change it is into the following form.

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * Indicates whether the XSRF-TOKEN cookie should be set on the response.
     *
     * @var bool
     */
    protected $addHttpCookie = true;

    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
        'http://example.com/foo/bar',
        'http://example.com/foo/*',
    ];
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

Here, http://example.com/foo/bar and http://example.com/foo/* are just the URL of the site where you don't want to have the CSRF token with the form. By * you are meaning all the route after the foo.

That's all. Now those URL can have form without CSRF token.

Conclusion

CSRF token is really a good way to protect your site. I will always suggest you to use it, and avoid it if only it is not needed.

Happy Coding !

Proper way to add jQuery to Laravel projects