Use the middleware VerifyCsrfToken to avoid CSRF attacks

from Academician Created on Six years ago , last updated on 4 years ago Version # 2 44909 views 35 likes 0 collects

Introduction&Function Demonstration

Cross site request forgery (CSRF) is a malicious vulnerability that attacks credit websites by masquerading requests from authorized users.

Larvel makes it easy to avoid cross site request forgery attacks on applications through its own CSRF protection middleware: Larvel will automatically generate a CSRF "token" for each effective user session managed by the application, and then store the token in the session. The token is used to verify whether the authorized user and the initiator are the same person.

Whenever you define an HTML form in the Larravel application, you need to introduce a CSRF token field in the form, so that the CSRF protection middleware can verify the request. To generate a hidden input field containing a CSRF token, you can use an auxiliary function csrf_field ：

 <form method="POST" action="/profile"> {{ csrf_field() }} ... </form>

Middleware group web Middleware in VerifyCsrfToken It will automatically verify for us whether the token value entered in the request is consistent with the token stored in the session. If the field is not passed or the field value passed is inconsistent with the value stored in the session, an exception will be thrown.

To demonstrate this feature, we have routes/web.php Define a set of test routes in:

 Route::get('form_without_csrf_token', function (){ Return '<form method="POST" action="/hello_from_form"><button type="submit">Submit</button></form>'; }); Route::get('form_with_csrf_token', function () { Return '<form method="POST" action="/hello_from_form">'. csrf_field(). '<button type="submit">Submit</button></form>'; }); Route::post('hello_from_form', function (){ return 'hello laravel!'; });

We access http://blog.dev/form_without_csrf_token And click the submit button on the page, the page reports an error and throws MethodNotAllowedHttpException Exception, which usually means that the CSRF token field is not passed or the passed token field is incorrect:

And when we visit http://blog.dev/form_csrf_token When you click the Submit button on the page, the page displays normally.

Note: CSRF middleware only works for routes/web.php Because the routes under this file are assigned web Middleware group, while VerifyCsrfToken be located web Middleware group.

Exclude the specified URL from CSRF security verification

Sometimes we need to exclude some URLs from the CSRF protection middleware. For example, if you use a third-party payment system (such as Alipay or WeChat payment) to process payment and use the callback function provided by them, then you need to exclude the callback processor route from Larvel's CSRF protection middleware, Because the third-party payment system does not know what token value to send to our defined route.

Usually we need to put this type of route to a file routes/web.php In addition, such as routes/api.php 。 However, if it is necessary to add routes/web.php If you are in, you can also VerifyCsrfToken Add the URL to be excluded to $except Attribute array:

 <? php namespace App\Http\Middleware; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware; class VerifyCsrfToken extends Middleware { /** *URLs excluded from CSRF validation * * @var array */ protected $except = [ 'alipay/*', ]; }

X-CSRF-Token

In addition to verifying the CSRF token as a POST parameter, you can also set the X-CSRF-Token The request header is used for verification, VerifyCsrfToken Middleware will check X-CSRF-TOKEN Request header. The implementation method is as follows: first, create a meta tag and save the token to the meta tag:

 <meta name="csrf-token" content="{{ csrf_token() }}">

Then add the token to all request headers in the js library (such as jQuery), which provides a simple and convenient way for AJAX based requests to avoid CSRF attacks:

 $.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } });

CSRF token and JavaScript

When building JavaScript driven applications, it is convenient to add a CSRF token field to each exit request of the JavaScript HTTP library. By default, resources/assets/js/bootstrap.js The file has been registered through the Axios HTTP library csrf-token The value of this meta tag is used as the token field value. If you do not use this library, you need to manually configure it to achieve similar functions.

X-XSRF-Token

Larave will also save the CSRF token to a file named XSRF-TOKEN In the cookie, you can use the cookie value to set X-XSRF-TOKEN Request header.

Some JavaScript frameworks, such as Angular and Axios, will automatically set this value for you. Basically, you don't need to set this value manually.

last, VerifyCsrfToken The underlying implementation source code of the middleware framework is located in vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php , interested students can go to have a look.

give the thumbs-up Cancel Like

Collection Cancel Collection

appreciate

9 comments

Put forward a suggestion on layout. On the detail page of the document, can you fix the content directory on the left side of the screen instead of related articles. When looking at long documents, it is always troublesome to scroll up the page to find the directory, and the articles recommended in related articles are not highly relevant For example, I am looking at the part of larravel5.4 eloquent orm. The related articles are all about 5.0 and 5.1 eloquent orm. In fact, I think many people should not care about these.

At present, the third-party plug-ins of WordPress are used. What you said will be realized when the college website is to be redeveloped

VerifyCsrfToken middleware can control which does not need verification

How to do token verification if the front and rear templates are separated

Route::get('hello_from_form', function (){ return 'hello laravel!'; }); The post method here should be changed to form form submitted by post

Yes, thank you

Get the token through API and bring it with you when submitting it

Learned

Thank you for learning

You can add comments after logging in

New Features

Upgrade Guide

Installation Configuration

Directory Structure

Heavy development environment: detailed tutorial of Homestead installation

Lightweight development environment: detailed tutorial for installing and using Valet

Using Laradock to build a Docker based PHP development environment

Using Laragon to build the Laravel development environment in Windows

The life cycle of a Laravel request

Service Container

Service Provider

Facades

Contracts

Entrance to the Larravel application: Basic Introduction to Routing Series

Entrance of Laravel application: Parameters, naming and grouping of routing series

Entrance to the Larravel application: Routing Model Binding of Routing Series

HTTP request filter: middleware

Use the middleware VerifyCsrfToken to avoid CSRF attacks

HTTP request processing layer: controller

HTTP request parameter acquisition, cookie setting and file upload

HTTP response, redirection and file download

Larravel view rendering: Blade template engine

Creation and data transfer of Larave view

Auxiliary Functions: Request URL Generation

Session Implementation, Configuration and Use Details

Request form validation and error handling

Exception handling&error log

Localization of view rendering: enable your application to easily support multiple languages

Quick Start: JavaScript&CSS Scaffold

Advanced use: compile front-end resources through Laravel Mix

Implement user registration and login authentication in Laravel

API authentication using Laravel Passport

Implement permission control of resource operation in Laravel

Encrypt and decrypt sensitive data in Larave

Using Hash Algorithm to Implement Password Encryption in Laravel

How to implement password reset function in Laravel

Quick start: basic configuration and use, read-write separation&database transaction

Use advanced: realize advanced functions through query builder

Easily implement paging function in Larravel

Database migration: maintain data tables by version control

Database filler: a good helper for initializing test data

Introduction: database operation using Eloquent model

Advanced Chapter: Using Eloquent Model to Manage Association Relationships

Data format returned by Eloquent query: collection

Formatting model data with accessors and modifiers

API resource class: bridge between the model and JSON API

Serialize model data into arrays or JSON

Use Artisan to build powerful console applications

Service decoupling through events and event listeners

Implementation and use of Laravel queue system

Implementation of event broadcast between server and client in Larravel

Build high-performance Larravel applications through cache

Key value pair Use of storage system Redis in Laravel

Collection: add wings to PHP arrays

Auxiliary function: a sharp tool to simplify Laravel code writing

Integrated Flysystem for advanced operation of file system

Implement mail configuration, preview and sending in Larravel

Using multiple channels to send notifications in Laravel

Development and use of Laravel custom expansion package

Implementation of Timed Task Scheduling in Laravel

Quick start: integrate PHPUnit to write test cases

HTTP test: how to test HTTP requests and responses

Browser test: use Laravel Dusk for browser test

Database testing: model factory generation and use

Simulation: Simplify testing by forging events, mails, notifications, queues, file storage and other services

Subscription payment solution: Larravel Cashier

Remote operation solution: Envoy Task Runner

Queue system solution: Laravel Horizon

Full text search solution: Larravel Scout

Third party login solution: Laravel Socialite

Use the middleware VerifyCsrfToken to avoid CSRF attacks

Introduction&Function Demonstration

Exclude the specified URL from CSRF security verification

X-CSRF-Token

X-XSRF-Token

9 comments