To inform Laravel that the form you’re currently submitting should be treated as something other than POST, add a hidden variable named _method with the value of either PUT, PATCH, or DELETE, and Laravel will match and route that form submission _as if it were actually a request with that verb._

<form action="/tasks/5" method="POST">
    <input type="hidden" name="_method" value="DELETE">
</form>


The form above , since it’s passing Laravel the method of “DELETE,” will match routes defined with Route::delete but not those with Route::post.

ok now you know what is Form method spoofing in laravel . so we can now move ahead and apply CSRF protection in laravel

CSRF protection

If you’ve tried to create and submit a form in a Laravel application already, you’ve likely run into the dreaded TokenMismatchException. If you run the form in below you’ll actually run into this exception already.

By default, every route in Laravel except “read-only” routes (those using GET, HEAD, or OPTIONS) are protected against Cross-Site Request Forgery by requiring a token (in the form of an input named _token) be passed along with each request. This token is generated at the start of every session, and every non-read-only route compares the submitted _token against the session token.

You have two options for getting around this. The first, and preferred method, is to add the _token input to each of your submissions. In HTML forms, that’s simple; look the code below

<form action="/tasks/5" method="POST">
    <input type="hidden" name="_method" value="DELETE">
    <input type="hidden" name="_token" value="{{ csrf_token() }}">
</form>

In JavaScript applications, it’s a bit more work, but not much. The most common solution, for sites using jQuery, is to store the token in a meta tag on every page like below

.Storing the CSRF token in a meta tag
<meta name="csrf-token" content="{{ csrf_token() }}">

Storing the token in a meta tag makes it easy to globally bind that to the correct HTTP header, which you can do once globally for all jQuery requests, like in code below

Globally binding a jQuery header for CSRF
$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

Laravel will check the X-CSRF-TOKEN on every request and valid tokens passed there will mark the CSRF protection as satisfied.

But we are trying to Protect our  laravel App from bots and spammers . ? =D

yeah ..your app is now protected because Superhero will protect your laravel  app from bots and spammers around the web . do you know who is that Super hero …..  any guess ?

 

.

.

.

 

.

.

ITS CSRF . You are Protected . because 99.9 % bots and spammers can’t bypass CSRF Protection :)

 

 

…thanks For reading

regards  . Deven rathore

 


Chapter 2 of 2Next