juandmegon

A RESTful API should be stateless, it means that it is not neccessary to keep the state through requests (sessions) in this way the CSRF verification is not completely necessary. To "disable" the sesssion, just go to the .env file and there change SESSION_DRIVER to array: SESSION_DRIVER=array

In this way it is not possible that someone take advantage of a stored sessions (CSRF).

Then you can just disable the CSRF middleware, commenting the respective line in the kernel.php file.

Aditionaly is a very good idea add some validation mechanism like basic auth (at least), or preferibly OAuth2 or JWT.

Hope many of you found this helpful.

Return to Thread...