BestHub
search
Sign in
Backend Development 5 min read

Using Form Method Spoofing and CSRF Protection in Laravel

This article explains how to handle RESTful HTTP methods in Laravel forms by using method spoofing, demonstrates adding CSRF tokens, disabling CSRF protection, configuring whitelist routes, and provides code examples for GET, POST, and PUT requests.

php中文网 Courses
php中文网 Courses
php中文网 Courses
Using Form Method Spoofing and CSRF Protection in Laravel

We know the most popular API design is RESTful, which uses the five common HTTP methods: GET, POST, PUT, PATCH, and DELETE. HTML forms can easily construct GET or POST requests, but the other three methods are not directly supported. Laravel solves this by allowing form method spoofing.

Preparation

First, create two routes: one for displaying the form and one for handling the submitted form.

Route::get('form', function () {
    return view('form');
});

Route::any('getform', function () {
    return \Illuminate\Support\Facades\Request::method();
});

Next, a simple GET request form looks like this:

<form method="get" action="/getform">
    <input type="submit" value="sub" />
</form>

Submitting this form shows "GET" in the browser, confirming the request succeeded.

CSRF Protection

When the form method is changed to POST, Laravel returns a 419 "page expired" error because of its default CSRF protection. All non‑GET requests must include a CSRF token in the form.

<input type="hidden" name="_token" value="{{ csrf_token() }}">

Laravel also provides a short Blade directive:

@csrf

Disabling CSRF Protection

It is generally not recommended to disable CSRF globally, but it can be turned off by commenting out the middleware line in app/Http/Kernel.php :

\App\Http\Middleware\VerifyCsrfToken::class

CSRF Whitelist

Sometimes you need a set of URLs that are exempt from CSRF verification, such as public API endpoints. Add them to the $except array in app/Http/Middleware/VerifyCsrfToken.php :

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        /* whitelist list */
        'http://example.com/api/*',
        'api/*',
        'a/b/*',
    ];
}

Form Method Spoofing

After understanding CSRF, you can spoof other HTTP methods by adding a hidden _method field to the form:

<input type="hidden" name="_method" value="PUT">

Or use the Blade shortcut:

@method('PUT')

Below is a complete form that spoofs a PUT request:

<form method="post" action="/getform">
    @csrf
    @method('PUT')
    <input type="submit" value="sub" />
</form>

For more details and the original article, click the "Read Original" link at the end of the source.

backendphpCSRFLaravelForm Spoofing
php中文网 Courses
Written by

php中文网 Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment