Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

insight's avatar

How to avoid 419 unknown status issue for PUT ?

Dear Friends, As part of Security audit they suggest to do "Disable HTTP Methods" . As part of it I checked it on my localhost using command ``` curl -i -X PUT http://127.0.0.1:8000/Vacancies/ ''' got output as

HTTP/1.1 419 unknown status
Host: 127.0.0.1:8000
Date: Wed, 09 Aug 2023 11:12:51 GMT
Connection: close
Cache-Control: no-cache, private
date: Wed, 09 Aug 2023 11:12:51 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: laravel_session=eyJpdiI6IkhZQ0VoRUlYMGFCWVZWcWdUSWZYa3c9PSIsInZhbHVlIjoiOHdOeWRCNVRJZUVQNVlQZU5FdXd6RlNFRGhqWFhMcU1KTG4yL211Z1lCRTN0UklXdmVlQUNMTGl6SVVodUEwT2p4ZVhwV3NJNDB2M3Q2dDRNeU4zUWlpZFFrU2hGcjdiT3hxOVBpSkdNL3BHNWo4czVrUXp1dmtzdWNpandHTUUiLCJtYWMiOiJlM2IwMWQ2YTAwMGQxZWQyMTNlN2Q3M2M3NmZhN2EwMTFlOGI5ZTZkNGRlZjliMjc2MTIxZjNlY2QyYzQ5NDI4IiwidGFnIjoiIn0%3D; expires=Wed, 09 Aug 2023 13:12:51 GMT; Max-Age=7200; path=/; httponly; samesite=lax

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>Page Expired</title>

        <style>
            /*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5}*,:after,:before{box-sizing:border-box;border:0 solid #e2e8f0}a{color:inherit;text-decoration:inherit}code{font-family:Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace}svg,video{display:block;vertical-align:middle}video{max-width:100%;height:auto}.bg-white{--bg-opacity:1;background-color:#fff;background-color:rgba(255,255,255,var(--bg-opacity))}.bg-gray-100{--bg-opacity:1;background-color:#f7fafc;background-color:rgba(247,250,252,var(--bg-opacity))}.border-gray-200{--border-opacity:1;border-color:#edf2f7;border-color:rgba(237,242,247,var(--border-opacity))}.border-gray-400{--border-opacity:1;border-color:#cbd5e0;border-color:rgba(203,213,224,var(--border-opacity))}.border-t{border-top-width:1px}.border-r{border-right-width:1px}.flex{display:flex}.grid{display:grid}.hidden{display:none}.items-center{align-items:center}.justify-center{justify-content:center}.font-semibold{font-weight:600}.h-5{height:1.25rem}.h-8{height:2rem}.h-16{height:4rem}.text-sm{font-size:.875rem}.text-lg{font-size:1.125rem}.leading-7{line-height:1.75rem}.mx-auto{margin-left:auto;margin-right:auto}.ml-1{margin-left:.25rem}.mt-2{margin-top:.5rem}.mr-2{margin-right:.5rem}.ml-2{margin-left:.5rem}.mt-4{margin-top:1rem}.ml-4{margin-left:1rem}.mt-8{margin-top:2rem}.ml-12{margin-left:3rem}.-mt-px{margin-top:-1px}.max-w-xl{max-width:36rem}.max-w-6xl{max-width:72rem}.min-h-screen{min-height:100vh}.overflow-hidden{overflow:hidden}.p-6{padding:1.5rem}.py-4{padding-top:1rem;padding-bottom:1rem}.px-4{padding-left:1rem;padding-right:1rem}.px-6{padding-left:1.5rem;padding-right:1.5rem}.pt-8{padding-top:2rem}.fixed{position:fixed}.relative{position:relative}.top-0{top:0}.right-0{right:0}.shadow{box-shadow:0 1px 3px 0 rgba(0,0,0,.1),0 1px 2px 0 rgba(0,0,0,.06)}.text-center{text-align:center}.text-gray-200{--text-opacity:1;color:#edf2f7;color:rgba(237,242,247,var(--text-opacity))}.text-gray-300{--text-opacity:1;color:#e2e8f0;color:rgba(226,232,240,var(--text-opacity))}.text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}.text-gray-500{--text-opacity:1;color:#a0aec0;color:rgba(160,174,192,var(--text-opacity))}.text-gray-600{--text-opacity:1;color:#718096;color:rgba(113,128,150,var(--text-opacity))}.text-gray-700{--text-opacity:1;color:#4a5568;color:rgba(74,85,104,var(--text-opacity))}.text-gray-900{--text-opacity:1;color:#1a202c;color:rgba(26,32,44,var(--text-opacity))}.uppercase{text-transform:uppercase}.underline{text-decoration:underline}.antialiased{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.tracking-wider{letter-spacing:.05em}.w-5{width:1.25rem}.w-8{width:2rem}.w-auto{width:auto}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}@-webkit-keyframes spin{0%{transform:rotate(0deg)}to{transform:rotate(1turn)}}@keyframes spin{0%{transform:rotate(0deg)}to{transform:rotate(1turn)}}@-webkit-keyframes ping{0%{transform:scale(1);opacity:1}75%,to{transform:scale(2);opacity:0}}@keyframes ping{0%{transform:scale(1);opacity:1}75%,to{transform:scale(2);opacity:0}}@-webkit-keyframes pulse{0%,to{opacity:1}50%{opacity:.5}}@keyframes pulse{0%,to{opacity:1}50%{opacity:.5}}@-webkit-keyframes bounce{0%,to{transform:translateY(-25%);-webkit-animation-timing-function:cubic-bezier(.8,0,1,1);animation-timing-function:cubic-bezier(.8,0,1,1)}50%{transform:translateY(0);-webkit-animation-timing-function:cubic-bezier(0,0,.2,1);animation-timing-function:cubic-bezier(0,0,.2,1)}}@keyframes bounce{0%,to{transform:translateY(-25%);-webkit-animation-timing-function:cubic-bezier(.8,0,1,1);animation-timing-function:cubic-bezier(.8,0,1,1)}50%{transform:translateY(0);-webkit-animation-timing-function:cubic-bezier(0,0,.2,1);animation-timing-function:cubic-bezier(0,0,.2,1)}}@media (min-width:640px){.sm\:rounded-lg{border-radius:.5rem}.sm\:block{display:block}.sm\:items-center{align-items:center}.sm\:justify-start{justify-content:flex-start}.sm\:justify-between{justify-content:space-between}.sm\:h-20{height:5rem}.sm\:ml-0{margin-left:0}.sm\:px-6{padding-left:1.5rem;padding-right:1.5rem}.sm\:pt-0{padding-top:0}.sm\:text-left{text-align:left}.sm\:text-right{text-align:right}}@media (min-width:768px){.md\:border-t-0{border-top-width:0}.md\:border-l{border-left-width:1px}.md\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}}@media (min-width:1024px){.lg\:px-8{padding-left:2rem;padding-right:2rem}}@media (prefers-color-scheme:dark){.dark\:bg-gray-800{--bg-opacity:1;background-color:#2d3748;background-color:rgba(45,55,72,var(--bg-opacity))}.dark\:bg-gray-900{--bg-opacity:1;background-color:#1a202c;background-color:rgba(26,32,44,var(--bg-opacity))}.dark\:border-gray-700{--border-opacity:1;border-color:#4a5568;border-color:rgba(74,85,104,var(--border-opacity))}.dark\:text-white{--text-opacity:1;color:#fff;color:rgba(255,255,255,var(--text-opacity))}.dark\:text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}}
        </style>

        <style>
            body {
                font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
            }
        </style>
    </head>
    <body class="antialiased">
        <div class="relative flex items-top justify-center min-h-screen bg-gray-100 dark:bg-gray-900 sm:items-center sm:pt-0">
            <div class="max-w-xl mx-auto sm:px-6 lg:px-8">
                <div class="flex items-center pt-8 sm:justify-start sm:pt-0">
                    <div class="px-4 text-lg text-gray-500 border-r border-gray-400 tracking-wider">
                        419                    </div>

                    <div class="ml-4 text-lg text-gray-500 uppercase tracking-wider">
                        Page Expired                    </div>
                </div>
            </div>
        </div>
    </body>
</html>

I need to avoid that. On searching I can found solution by editing .htaccess as

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php/ [L]
</IfModule>

I created a new .htaccess file in my root folder (i.e C:\xampp\htdocs\xxx_yyy) and put that as

# Disable directory browsing
Options All -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php/ [L]
</IfModule>
# ----------------------------------------------------------------------
# Rewrite engine
# ----------------------------------------------------------------------
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|PUT|PATCH|TRACK|OPTIONS) 
RewriteRule .* - [F]



# Disable server signature start
	ServerSignature Off
# Disable server signature end

but in my case that rule is not taking. mod_rewrite is already enabled in my configuration. How it can solve.

Please advise

Thanks

Anes P A

0 likes
15 replies
vincent15000's avatar

How is the context in which you are using a PUT request ? Is it via a form ?

419 HTTP error often occurs when you forget to add the CSRF protection @csrf inside the form.

JussiMannisto's avatar

@insight If the route is for showing a home page, why are you using PUT? It's natural that CSRF protection is required for PUT requests. You should get a 419 error if you do this.

1 like
insight's avatar

@JussiMannisto Actually I am not using PUT there .. the security auditing team report that. How it can avoid ?

1 like
JussiMannisto's avatar

@insight You DID use a PUT request and then asked how to avoid the 419 error. The answer is you can't avoid it. If you allow PUT requests on this route, you will get a 419 error.

The only real issue is that you're allowing the PUT method to begin with. With a proper route definition you should get a 405 (Method Not Allowed) error instead of the 419 you're seeing. So you should fix your routes to only allow the relevant HTTP methods. This is probably what that audit suggestion means, but I can't say for sure without reading the report.

If you have trouble with implementing or comprehending the suggestions in the audit report, you might want to consult a senior developer.

1 like
Snapey's avatar

if you do a put without csrf token then 419 error is the result.

if you dont specify header accept:application/json then you get an html error page

if you want to mess with .htaccess then do it to the file in the public folder, not the one in your project root

1 like
Snapey's avatar

what response are you hoping to get?

1 like
vincent15000's avatar

I just think that you can't avoid the 419 error because the PUT method doesn't exist for the route.

What you could do is to catch the exception if some user tries to access this route with another method than GET.

JussiMannisto's avatar

@vincent15000 That's not what's going on. If PUT request wasn't supported on this route, he'd get a 405 error instead of the 419.

The correct fix is not to get rid of the exception, it is to remove PUT support from this route. The server should return an error code if PUT is used here.

1 like
vincent15000's avatar

@JussiMannisto Yes I agree. I think that to help him, he should have more details about the error specified by the audit company.

The 419 error occurs when you forget the CSRF token and not when you are using a PUT method instead of a GET method.

Snapey's avatar

@vincent15000 you and @jussimannisto are both missing the point.

What he wants is to PUT to ANY route in the app and get no response. The security guys are saying, your web browser application does not use PUT http verb so it should be disabled to reduce the attack surface.

remember, browsers don't send PUT requests. They only send POST and you need to add the hidden _method field to create the impression of PUT or PATCH

2 likes

Please or to participate in this conversation.