In this article i will show you how to protect your laravel app from bots and spammers . lets take a case where you need to pass information along to Laravel’s router manually . CSRF tokens prove that the requesting form is actually coming from the same application, and have to be passed manually. And HTML forms only allow for GET
or POST
, so if you want any other sort of verb, you’ll need to specify that yourself. Let’s take a look at these two.
Btw What is CSRF? ;)
CSRF, or Cross-Site Request Forgery, is when one web site pretends to be another. The goal is for someone to hijack your users’ access to your web site by submitting forms from their web site toward your web site, in the user’s browser, while they’re still logged into your site.
The best way around CSRF is to protect all inbound routes — POST
, DELETE
, etc.–with a token, which Laravel does out of the box.
ok i know you got it . let me introduce you http verbs
If you’re not familiar with HTTP verbs, the other two most common are PUT
and DELETE
, but there’s also HEAD
, OPTIONS
, PATCH
, and two others that are pretty much never used in normal web development, TRACE
and CONNECT
.
Here’s the quick rundown: GET
requests a resource and HEAD
asks for a headers-only version of the GET
, POST
creates a resource, PUT
overwrites a resources and PATCH
modifies a resource, DELETE
deletes a resource, and OPTIONS
asks the server which verbs are allowed at this URL.
So what is the role of HTTP verbs in Laravel ?
So, as we’ve shown already, you can define which verbs a route will match in the route definition, with the difference between Route::get
, Route::post
, Route::any
, or Route::match
.
But how does one send a request other than GET
with a web browser? First, the method in an HTML form determines its HTTP verb: if your form has a method
of “get”, it will submit via query parameters and a GET
method; if the form has a method of “post”, it will submit via the post body and a POST
method.
JavaScript frameworks make it easy to send other requests like DELETE
and PATCH
. But if you find yourself needing to submit forms in Laravel with verbs other than GET
or POST
, you’ll need to use “form method spoofing”.
ok you got it :)
really ? i think not yet .. let me introduce you Form method spoofing in laravel