How to Exclude Routes from CSRF Middleware in Laravel ?

Cross-Site Request Forgery (CSRF) is a common security vulnerability in web applications. Laravel, a popular PHP framework, provides built-in CSRF protection by including a CSRF token in forms and validating this token on the server side. However, there might be cases where you need to exclude certain routes from CSRF protection, such as when dealing with third-party services or certain APIs. This article will guide you through the steps to exclude routes from CSRF middleware in Laravel with simple and easy-to-understand instructions.

What is CSRF Middleware?

CSRF middleware in Laravel automatically adds a security token to forms and verifies this token on each request to ensure the request is legitimate. This helps protect your application from malicious attacks.

When to Exclude Routes from CSRF Middleware

Excluding routes from CSRF middleware can be necessary in scenarios like:

API endpoints that are accessed by third-party services.
Webhooks from external services that do not include a CSRF token.
Specific routes that do not need CSRF protection due to the nature of the request.

Steps to Exclude Routes from CSRF Middleware

Step 1: Open the Middleware File

In Laravel, the CSRF protection middleware is located in app/Http/Middleware/VerifyCsrfToken.php. Open this file in your code editor.

Step 2: Define the Routes to be Excluded

Inside the VerifyCsrfToken class, there is a property called $except. This property is an array where you can specify the routes you want to exclude from CSRF protection.

Here’s an example of what the VerifyCsrfToken class looks like with some routes excluded:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array<int, string>
     */
    protected $except = [
        'webhook/*',
        'api/third-party-service',
        'payment/callback',
    ];
}

Explanation of the Code

webhook/*: This will exclude all routes that start with webhook/ from CSRF protection. For example, webhook/github, webhook/gitlab, etc.
api/third-party-service: This will exclude the specific route api/third-party-service from CSRF protection.
payment/callback: This will exclude the specific route payment/callback from CSRF protection.

Step 3: Save the Changes

After adding the routes you want to exclude to the $except array, save the VerifyCsrfToken.php file.

Step 4: Test the Excluded Routes

It’s essential to test the routes you’ve excluded to ensure they work as expected. You can use tools like Postman or cURL to make requests to the excluded routes and verify they do not require a CSRF token.

Example Test with Postman

Open Postman and create a new request.
Set the request method (e.g., POST) and enter the URL of the route you’ve excluded (e.g., http://yourapp.test/webhook/github).
Send the request and check the response to ensure it is processed correctly without any CSRF token errors.

Conclusion

Excluding routes from CSRF middleware in Laravel is straightforward. By modifying the VerifyCsrfToken class and adding the necessary routes to the $except array, you can easily disable CSRF protection for specific routes. Always ensure you only exclude routes that genuinely do not need CSRF protection to maintain the security of your application.

By following these steps, you can effectively manage your routes and ensure your Laravel application remains secure while accommodating specific needs for certain endpoints.

Check our tools small Tools
Check our tools website Word count