3 years ago (547,945 XP)

@billmn More cleaner way :

# app/Http/Kernel.php :

     * The application's global HTTP middleware stack.
     * @var array
    protected $middleware = [
        // 'App\Http\Middleware\VerifyCsrfToken', // Erase this
     * The application's route middleware.
     * @var array
    protected $routeMiddleware = [
        'auth' => 'App\Http\Middleware\Authenticate',
        'auth.basic' => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
        'guest' => 'App\Http\Middleware\RedirectIfAuthenticated',
        'csrf' => 'App\Http\Middleware\VerifyCsrfToken',

Then in route.php :

// List of api routes

$router->group(['middleware' => 'csrf'], function($router)
  // CSRF protected routes.

But again, ajax calls should be csrf protected. This method above is cool for api calls from external places.


@billmn post gave an idea, all you have to do just open this file app/Http/Middleware/VerifyCsrfToken.php and add 'api/*' in protected $except array. Works for me and is clean way to exception routes.

use Closure; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array / protected $except = [ 'api/' ]; }

3 years ago (86,200 XP)

@Mashauri Yep but my post refers to Laravel 5.0 and not 5.1

Now that I have upgraded my application to L 5.1 I've used the 'except' property and works fine


After hours of research, I could fix the problem by simply adding the domain in: config/session.php

"Session Cookie Domain"

'domain' => 'your-app-domain'

It doesn't matter if the session driver is "database or other"



in Http/Middleware/VerifyCsrfToken.php you have an array called $except. Just add your api uri.

     * The URIs that should be excluded from CSRF verification.
     * @var array
    protected $except = [


I was implementing this by grouping my API routes with the prefix 'api' and excluding it in the $except array as @criste_nicu said.

But I was wondering how to do it if I change my api call routes from a prefix to a subdomain like


A RESTful API should be stateless, it means that it is not neccessary to keep the state through requests (sessions) in this way the CSRF verification is not completely necessary. To "disable" the sesssion, just go to the .env file and there change SESSION_DRIVER to array: SESSION_DRIVER=array

In this way it is not possible that someone take advantage of a stored sessions (CSRF).

Then you can just disable the CSRF middleware, commenting the respective line in the kernel.php file.

Aditionaly is a very good idea add some validation mechanism like basic auth (at least), or preferibly OAuth2 or JWT.

Hope many of you found this helpful.


Thank you @billmn.

I had a problem integrating a GoCardless API into Laravel 5.4.

My server was responding with a 500 internal server error.

Adding the uri of my webhook to /Middleware/VerifyCsrfToken.php solved the problem.

Please sign in or create an account to participate in this conversation.