Laravel automatically generates a CSRF "token" for each active user session.
This token is used to verify that the authenticated user is the person actually making the requests.
Get current session's token:
Route::get('/token', function (Request $request) {
$token = $request->session()->token();
$token = csrf\_token();
// ...
});
POST, PUT, PATCH, or DELETE forms should include a hidden CSRF _token field
in the form to validate the request.
<form method="POST" action="/profile">
@csrf
<!-- Equivalent to... -->
<input type="hidden" name="\_token" value="{{ csrf\_token() }}" />
</form>
See Forms
Comments