Skip to content

Commit

Permalink
clarify which <form> methods need CSRF protection (laravel#7054)
Browse files Browse the repository at this point in the history 
Help users understand that "POST", "PUT", "PATCH", and "DELETE" methods require CSRF protection, while "HEAD", "GET" and "OPTIONS" requests do not.

https://github.com/laravel/framework/blob/8.x/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php#L94
  • Loading branch information
@browner12
browner12 authored May 7, 2021
1 parent ec71f67 commit 1ca38aa
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion csrf.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ The current session's CSRF token can be accessed via the request's session or vi
// ...
});

Anytime you define an HTML form in your application, you should include a hidden CSRF `_token` field in the form so that the CSRF protection middleware can validate the request. For convenience, you may use the `@csrf` Blade directive to generate the hidden token input field:
Anytime you define a "POST", "PUT", "PATCH", or "DELETE" HTML form in your application, you should include a hidden CSRF `_token` field in the form so that the CSRF protection middleware can validate the request. For convenience, you may use the `@csrf` Blade directive to generate the hidden token input field:

<form method="POST" action="/profile">
@csrf
Expand Down

0 comments on commit 1ca38aa

Please sign in to comment.