How to disable CSRF LARAVEL

Learn how to disable CSRF protection in Laravel with an example.

Disabling CSRF in Laravel

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

CSRF protection in Laravel is enabled by default, and all the routes except those listed in the $except array are protected against CSRF attacks. To disable CSRF protection for a specific route, you can use the disableCsrfProtection() method:

Route::post('/my-route', function () {
    // Disable CSRF protection
    Route::disableCsrfProtection();

    // Process the request...
});

Alternatively, you can use the except array in the VerifyCsrfToken middleware to disable CSRF protection for specific routes. For example:

namespace AppHttpMiddleware;

use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        '/my-route',
    ];
}

In this example, the /my-route endpoint will no longer be protected against CSRF attacks. Note that this approach is not recommended, as it may lead to security vulnerabilities.

It is important to note that, while disabling CSRF protection for a specific route may be necessary in some cases, it should be done with caution. It is recommended that you use the VerifyCsrfToken middleware to ensure that all requests are properly verified and that your application remains secure.