3 years ago

CSRF protection not triggering?

Posted 3 years ago by xdega

So. I have the following endpoints in my api.php routes file:

//POST routes
Route::post('/user/ban/{id}', function($id){

    $user = App\User::find($id);
    $user->is_banned = 1;
    $user->is_approved = 0;


Route::post('/user/unban/{id}', function($id){

    $user = App\User::find($id);
    $user->is_banned = 0;
    $user->is_approved = 1;


Route::post('/user/create-moderator/{id}', function($id){

    $user = App\User::find($id);
    $user->is_moderator = 1;


These are meant to be API calls via my VUE components, not accessible outside of the application.

My concern, however, is that these routes are working without requiring me to submit X-CSRF headers. Is there some kind of new feature in Laravel 5.4, or is there a way I can explicitly ensure that the CSRF protection is being utilized?

Please sign in or create an account to participate in this conversation.