3

I'm starting with Laravel 5, and I want do everything right. I'm doing "Post" with Json, and I wanna implement CSRF Protection but I don't know how can I do that on my JSON. I saw so many examples with AJAX but with JSON I didn't found none.

I need to set manually every token for person or laravel do that automatically?

How can i pass token as argument on that JSON ?

That is my JSON:

{
   "foo":"bar"
}

That's my controller code:

public function Register()
{
    $teste = Request::json()->all();
    return  $teste;    
}

I'm using all protection default from Laravel on middleware.

JoseSilva
  • 517
  • 5
  • 29
micael cunha
  • 503
  • 5
  • 24
  • 1
    How are you sending the JSON to the server? JSON is a data structure, and AJAX is a way of sending a request from javascript to the server. AJAX uses JSON. – Jeff Dec 24 '15 at 03:51
  • 1
    have a parameter `_token` in your JSON, which will have a value `var token = "{{ csrf_token() }}"` – Vishal Sharma Dec 24 '15 at 04:52
  • Check this Answer - https://stackoverflow.com/questions/53684928/how-to-automatically-add-x-csrf-token-with-jquery-ajax-request-in-laravel/53684929#53684929 – Prateek Dec 22 '18 at 09:06

3 Answers3

4

We've solved this problem in our Laravel app as well. It was as simple as doing the following two things.

First, create the _token variable on your pages, you can even put this in your base layout view templates:

<script type="text/javascript">
    var _token = '{{ csrf_token() }}';
</script>

Then, make it so that every ajax request posts the _token variable with the following at the start of your js app code (or anywhere before you start using the ajax calls with jquery):

$.ajaxSetup({
    data: { _token: _token }
});

So long as none of your requests use the _token index, you should now have the csrf token added to every ajax request you make within your app.

jardis
  • 687
  • 1
  • 8
  • 16
4

You always need to pass the CSRF token, whether posting with ajax or normally. This is basically a security feature.

Laravel generate it automatically.

You need to create "_token" variable on your page, You can create the variable once also in the main template and then you can access it in the whole project:

<script type="text/javascript">
    var secure_token = '{{ csrf_token() }}';
</script>

Now you can send the token with data in the ajax calls like below:

$.ajax({
    data: { _token: secure_token }
});

If you are posting any data through form submission you can post it like:

<input type="hidden" name="_token" value="{{ csrf_token() }}">

You should always have the CSRF token posted with every ajax request or form submission you make within your project.

Veerendra
  • 2,562
  • 2
  • 22
  • 39
2

As of Laravel 5, the default csrf middleware will check for either a formdata field named _token OR a request header named X-CSRF-Token.

If you are not posting form data (eg json or xml) then the header is the simplest option.

If you are using jquery, then you can set it for all ajax requests by adding the following script tag to a template that is always loaded, for example layout.blade.php:

<script>
    $(function(){
        $.ajaxSetup({
            headers:{'X-CSRF-Token': '{{ csrf_token() }}'}
        });
    });
</script>
Steve
  • 20,703
  • 5
  • 41
  • 67