BestHub
Sign in
Backend Development 5 min read

Using Form Method Spoofing and CSRF Protection in Laravel

This article explains how to handle RESTful HTTP methods in Laravel forms by using method spoofing, demonstrates adding CSRF tokens, disabling CSRF protection, configuring whitelist routes, and provides code examples for GET, POST, and PUT requests.

php Courses
php Courses
php Courses
Using Form Method Spoofing and CSRF Protection in Laravel

We know the most popular API design is RESTful, which uses the five common HTTP methods: GET, POST, PUT, PATCH, and DELETE. HTML forms can easily construct GET or POST requests, but the other three methods are not directly supported. Laravel solves this by allowing form method spoofing.

Preparation

First, create two routes: one for displaying the form and one for handling the submitted form.

Route::get('form', function () {
    return view('form');
});

Route::any('getform', function () {
    return \Illuminate\Support\Facades\Request::method();
});

Next, a simple GET request form looks like this:

<form method="get" action="/getform">
    <input type="submit" value="sub" />
</form>

Submitting this form shows "GET" in the browser, confirming the request succeeded.

CSRF Protection

When the form method is changed to POST, Laravel returns a 419 "page expired" error because of its default CSRF protection. All non‑GET requests must include a CSRF token in the form.

<input type="hidden" name="_token" value="{{ csrf_token() }}">

Laravel also provides a short Blade directive: @csrf Disabling CSRF Protection

It is generally not recommended to disable CSRF globally, but it can be turned off by commenting out the middleware line in app/Http/Kernel.php: \App\Http\Middleware\VerifyCsrfToken::class CSRF Whitelist

Sometimes you need a set of URLs that are exempt from CSRF verification, such as public API endpoints. Add them to the $except array in app/Http/Middleware/VerifyCsrfToken.php:

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        /* whitelist list */
        'http://example.com/api/*',
        'api/*',
        'a/b/*',
    ];
}

Form Method Spoofing

After understanding CSRF, you can spoof other HTTP methods by adding a hidden _method field to the form: <input type="hidden" name="_method" value="PUT"> Or use the Blade shortcut: @method('PUT') Below is a complete form that spoofs a PUT request:

<form method="post" action="/getform">
    @csrf
    @method('PUT')
    <input type="submit" value="sub" />
</form>

For more details and the original article, click the "Read Original" link at the end of the source.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

BackendPHPLaravelForm Spoofing
php Courses
Written by

php Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment