Question 370965 in Laravel Question posted in
The official Laravel Documentation can be found here.

Laravel 11 – Disable CSRF for a route

I have a route that serves as a webhook endpoint that gets called by a remote service, but the calls that the service makes to the webhook always fail.

After some inspection of the service logs, I learned that the service is getting an HTTP error code 419.

I used to add exceptions inside the $except property of the AppHttpMiddlewareVerifyCsrfToken middleware, However, I’m on Laravel 11 and I can’t find this middleware anymore. What is the solution to this problem?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Starting from Laravel 11, the VerifyCsrfToken middleware no longer exists within the application's skeleton.

    Instead, you can specify which routes should bypass the CSRF verification process using the validateCsrfTokens() method. You can call this method inside the withMiddleware() method callback within your bootstrap/app.php file. For example:

    <?php

use IlluminateFoundationApplication;
use IlluminateFoundationConfigurationMiddleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        commands: __DIR__.'/../routes/console.php',
        channels: __DIR__.'/../routes/channels.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->validateCsrfTokens(except: [
            'you-webhook-endpoint/action-name' // <-- exclude this route
        ]);
    })->create();

    More information available at the documentation at: https://laravel.com/docs/11.x/csrf#csrf-excluding-uris


  2. 0

    Even if the VerifyCsrfToken is not in the default app anymore, you can still use it in L11 as it is still in the framework :

    https://github.com/laravel/framework/blob/11.x/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php

    So you can use it as in previous version of Laravel :

    create a VerifyCsrfToken custom Middleware :

    <?php

namespace AppHttpMiddleware;

use IlluminateFoundationHttpMiddlewareVerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
       'your-endpoint'
    ];
}

    and just add it inside your middlewareGroups inside Kernel.php :

     protected $middlewareGroups = [
        'web' => [
            [...]
            AppHttpMiddlewareVerifyCsrfToken::class,
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search