Laravel document sorting 3. CSRF protection

Preface ：Laravel Document sorting , Only for record , Nothing else .

1、Laravel How to avoid cross site forged requests ？
Generate CSRF token, Verify that the user is the actual sender user .

2、 How to generate CSRF token
<?php echo csrf_field(); ?>

<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">

It can also be in blade Use in templates ：
{ { csrf_field() }}

3、 Usually we don't need to verify this token, that , How did it come true ？
VerifyCsrfToken middleware , The request and session Medium token Is it consistent .

4、 If there are some routes you don't want to be CSRF Protect , How to set ？
stay VerifyCsrfToken Middleware , add to $expect attribute , exclude URI
<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * URIs Should be CSRF Verify execution .
     *
     * @var array
     */
    protected $except = [
        'stripe/*',
    ];
}

5、VerfifyCsrfToken Only check post How to submit parameters ？ What else will be checked ？
In the header X-CSRF-TOKEN. Such as the following ：
<meta name="csrf-token" content="{ { csrf_token() }}">

This situation , Usually ajax Processing will use ：
$.ajaxSetup({
        headers: {
            'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
        }
});

6、Laravel Where else to save CSRF TOKEN?
XSRF-TOKEN cookie in

Ps： You can also use cookie Value to set X-XSRF-TOKEN Request header

7、 Why do we need to forge the request method ？
because html The form does not support put  patch or delete The action of , If you have to use these request methods , It must be forged .

8、 An example of request method forgery
<form action="/foo/bar" method="POST">
    <input type="hidden" name="_method" value="PUT">
    <input type="hidden" name="_token" value="{ { csrf_token() }}">
</form>

You can also use auxiliary functions ：
<?php echo method_field('PUT'); ?>

stay blade In the template engine ：
{ { method_field('PUT') }}

9、 Throw out 404 The wrong way
Method 1 ： Auxiliary function  abort(404)
Method 2 ： Manual throw Symfony\Component\HttpFoundation\Exception\HttpException

Ps: The helper function simply throws a with a specified status code  
Symfony\Component\HttpKernel\Exception\NotFoundHttpException