This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
CSRF is an attack that tricks the victim into submitting a malicious request. It uses the identity and privileges of the victim to perform an undesired function on their behalf. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Without CSRF protection, an attacker can trick a victim into performing actions on their behalf, potentially leading to data loss, corruption, or unauthorized access. This is especially dangerous if the victim has administrative privileges.
To avoid violating this rule, ensure that you include the VerifyCsrfToken middleware in your application’s middleware stack. This middleware will automatically verify that the CSRF token in the request input matches the token stored in the session, thus preventing CSRF attacks. If the tokens do not match, the middleware will throw an HttpResponseException, thereby blocking the request.