Protect Your laravel App from bots and spammers

In this article i will show you how to protect your laravel app from bots and spammers . lets take a case where you need to pass information along to Laravel’s router manually . CSRF tokens prove that the requesting form is actually coming from the same application, and have to be passed manually. And HTML forms only allow for GET or POST, so if you want any other sort of verb, you’ll need to specify that yourself. Let’s take a look at these two.

Btw What is CSRF? ;)

CSRF, or Cross-Site Request Forgery, is when one web site pretends to be another. The goal is for someone to hijack your users’ access to your web site by submitting forms from their web site toward your web site, in the user’s browser, while they’re still logged into your site.

The best way around CSRF is to protect all inbound routes — POST, DELETE, etc.–with a token, which Laravel does out of the box.

ok i know  you got it . let me introduce you http  verbs

If you’re not familiar with HTTP verbs, the other two most common are PUT and DELETE, but there’s also HEAD, OPTIONS, PATCH, and two others that are pretty much never used in normal web development, TRACE and CONNECT.

Here’s the quick rundown: GET requests a resource and HEAD asks for a headers-only version of the GET, POST creates a resource, PUT overwrites a resources and PATCH modifies a resource, DELETE deletes a resource, and OPTIONS asks the server which verbs are allowed at this URL.

So what is the role of HTTP verbs in Laravel ?

So, as we’ve shown already, you can define which verbs a route will match in the route definition, with the difference between Route::get, Route::post, Route::any, or Route::match.

But how does one send a request other than GET with a web browser? First, the method in an HTML form determines its HTTP verb: if your form has a method of “get”, it will submit via query parameters and a GET method; if the form has a method of “post”, it will submit via the post body and a POST method.

JavaScript frameworks make it easy to send other requests like DELETE and PATCH. But if you find yourself needing to submit forms in Laravel with verbs other than GET or POST, you’ll need to use “form method spoofing”.

ok you got it :)

really ? i think not yet .. let me introduce you Form method spoofing in laravel


To inform Laravel that the form you’re currently submitting should be treated as something other than POST, add a hidden variable named _method with the value of either PUT, PATCH, or DELETE, and Laravel will match and route that form submission _as if it were actually a request with that verb._

<form action="/tasks/5" method="POST">
    <input type="hidden" name="_method" value="DELETE">

The form above , since it’s passing Laravel the method of “DELETE,” will match routes defined with Route::delete but not those with Route::post.

ok now you know what is Form method spoofing in laravel . so we can now move ahead and apply CSRF protection in laravel

CSRF protection

If you’ve tried to create and submit a form in a Laravel application already, you’ve likely run into the dreaded TokenMismatchException. If you run the form in below you’ll actually run into this exception already.

By default, every route in Laravel except “read-only” routes (those using GET, HEAD, or OPTIONS) are protected against Cross-Site Request Forgery by requiring a token (in the form of an input named _token) be passed along with each request. This token is generated at the start of every session, and every non-read-only route compares the submitted _token against the session token.

You have two options for getting around this. The first, and preferred method, is to add the _token input to each of your submissions. In HTML forms, that’s simple; look the code below

<form action="/tasks/5" method="POST">
    <input type="hidden" name="_method" value="DELETE">
    <input type="hidden" name="_token" value="{{ csrf_token() }}">

In JavaScript applications, it’s a bit more work, but not much. The most common solution, for sites using jQuery, is to store the token in a meta tag on every page like below

.Storing the CSRF token in a meta tag
<meta name="csrf-token" content="{{ csrf_token() }}">

Storing the token in a meta tag makes it easy to globally bind that to the correct HTTP header, which you can do once globally for all jQuery requests, like in code below

Globally binding a jQuery header for CSRF
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')

Laravel will check the X-CSRF-TOKEN on every request and valid tokens passed there will mark the CSRF protection as satisfied.

But we are trying to Protect our  laravel App from bots and spammers . ? =D

yeah ..your app is now protected because Superhero will protect your laravel  app from bots and spammers around the web . do you know who is that Super hero …..  any guess ?








ITS CSRF . You are Protected . because 99.9 % bots and spammers can’t bypass CSRF Protection :)



…thanks For reading

regards  . Deven rathore


Deven Rathore

Deven is an Entrepreneur, and Full-stack developer, Constantly learning and experiencing new things. He currently runs and

Published by
Deven Rathore

Recent Posts

Choose An App Development Company In 4 Easy Ways

The mobile app industry has been popular in recent years. Thanks to the continuing technological…

6 hours ago

3 Ways to Get the Most Out of Your University’s Virtual Computer Lab

IT is more important than ever in the world of higher education, and yet with…

7 hours ago

Top Tips for Learning Java Programming

If you’re here for the top tips, we assume you’re ahead of the “how to…

3 days ago

Neural Networks for Creating Blog Texts

The world is progressing at unprecedented rates at the current moment, especially in terms of…

4 days ago

Top 20 Opensource Python Tkinter Projects

This article will highlight the Top 20 Opensource Python Tkinter Projects which we believe will…

6 days ago

Beginners guide to Sneaker Proxies

With their numerous applications in streamlining the data flow, securing both the servers and the…

1 week ago