Level 65
Read it from the header value?
Apr 17, 2015
4
Level 1
Proper way to send csrf token in ajax requests with angularjs
Hi Everyone,
Ran into a problem sending ajax requests through angular to my Laravel API backend. The tokenmismatch exception was catching, so I came across a solution on these forums to create the csrf_token var in the meta tag and give it to the $scope object in angular. '>
Then in my angular controller when we make a POST request to the backend api, I can supply the CSRF token as such:
$http.post('//api/test', { title: $scope.test.title, name: $scope.test.name, _token: $scope.csrf_token });
I guess my question is whether or not this is considered to be good practice and safe. It is working great for me, but anyone who knows how to use dev tools in a browser can grab the csrf token for that page as its in the meta tag. Any thoughts on how to properly do this?
Level 1
Never thought of that.... set the header value in app.blade? that way any time an angular controller needs it, it's available.
Level 14
You're using $http service.
By default it has XSRF protection.
When performing XHR requests, the $http service reads a token from a cookie (by default,
XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN).
Level 65
Yeah, I meant the above HTTP header item. It's already included in each request :)
Please or to participate in this conversation.