CSRF Protection

Automatic protection against Cross-Site Request Forgery attacks.

Enable protection on a route
@CsrfProtect
@POST(value = "/articles", name = "articles.store")
private Object store(Request req, Response res) {
    // Token validated automatically
    // If invalid → 403 Forbidden
}
In HTML forms
<form method="POST" action="/articles">
    {{ csrf_field() | raw }}

    <input type="text" name="title">
    <button type="submit">Create</button>
</form>
For AJAX requests
const csrfToken = '{{ csrf_token() }}';

fetch('/articles', {
    method: 'POST',
    headers: {
        'X-CSRF-TOKEN': csrfToken,
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({ title: 'My article' })
});
Regenerate token after login
@POST("/login")
private Object login(Request req, Response res) {
    if (isLogged(req)) {
        regenerateCsrfToken(req);
        res.redirect("/dashboard");
    }
    return null;
}
💡 Behavior
  • • GET/HEAD/OPTIONS requests are never protected
  • • POST/PUT/DELETE/PATCH require the @CsrfProtect annotation
  • • Token expires after 1 hour of inactivity
  • • Token can be sent via X-CSRF-TOKEN header or _csrf field
← Validation Flash messages →