When use hidden field and when use header and why ?
X-XSRF_TOKEN
when we use?
X-CSRF TOKEN
when we use?
All of them are for cross site request forgery protection and you need to use just one of them when sending a request to backend. Different names come from different frameworks.
It's all about sending a csrf value
to backend. Then backend will compare it with the csrf value stored in database for that specific user and if it matches, it will allow processing the request.
csrf :
<input name="my_csrf_input" value="a_hashed_string_the_csrf_value"
x-csrf-token:
csrf value
in a meta tag while rendering the html, then in front end we can get the value from that meta tag and send it to backend.Laravel specific:
laravel
as backend. Laravel checks this header automatically and compares it to the valid csrf value
in database.(laravel has a middleware for this)x-xsrf-token:
axios
, automatically get value of this header from xsrf-token
cookie and put it in every request header.xsrf-token
in backend, then our front end framework that uses angular or axios will use it automatically.Laravel specific:
axios
or angular
with laravel
, you don't need to do anything. just log user in and 'auth' middleware will do the job.x-csrf-token
because cookies are encrypted in laravel.