CSRF Protection

[Since 0.5.0]


Read this article from Wikipedia to learn what a Cross-site request forgery is.

To protect your application for CSRF attacks, consider the following.


You should add a hidden field with a CSRF token in each form like this:

<input name="_token" value="{{csrf_token()}}" type="hidden"/>


Pletfix provides a middleware out of the box to check the CSRF token. You may add this middleware into your route file like this:


If you have bind the CSRF middleware like above, a POST request are only accepted if it has a valid CSRF token.


The csrf middleware read the token also from the header "X-CSRF-TOKEN". Therefore, if you use the jQuery library, you could set the CSRF token globally like this to send the token by every request automatically:

    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')

If you have installed the Pletfix Application Skeleton, this setup above is already done.

(edit on GitHub)