Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

ashafizullah's avatar

Laravel 9 Inertia cant accept secure flag XSRF TOKEN in production mode

I have a problem with Laravel 9, Inertia.Js, Vue 3 in production mode. I deploy my project to shared hosting. But i found an error 419, its say page expired and in console log its say unknown status.

I think my project in production hosting it cannot accept secure XSRF-TOKEN, because if i manually remove secure flag on XSRF-TOKEN and laravel_session, it will be normal and working.

My project totally running well on my local computer.

I think the problem is with Cpanel hosting, but i dont know how to solve and where the problem.

My HandleinertiaRequest:

<?php

namespace App\Http\Middleware;

use Illuminate\Http\Request;
use Inertia\Middleware;

class HandleInertiaRequests extends Middleware
{
	/**
	 * The root template that's loaded on the first page visit.
	 *
	 * @see https://inertiajs.com/server-side-setup#root-template
	 * @var string
	 */
	protected $rootView = 'app';

	/**
	 * Determines the current asset version.
	 *
	 * @see https://inertiajs.com/asset-versioning
	 * @param  \Illuminate\Http\Request  $request
	 * @return string|null
	 */
	public function version(Request $request): ?string
	{
		return parent::version($request);
	}

	/**
	 * Defines the props that are shared by default.
	 *
	 * @see https://inertiajs.com/shared-data
	 * @param  \Illuminate\Http\Request  $request
	 * @return array
	 */
	public function share(Request $request): array
	{
		return array_merge(parent::share($request), [
			//session
			'session' => [
				'status' 	=> fn () => $request->session()->get('status'),
				'success'   => fn () => $request->session()->get('success'),
				'error'    	=> fn () => $request->session()->get('error'),
			],
			//user authenticated
			'auth' => [
				'user'          => $request->user() ?   $request->user() : null,
				'permissions'   => $request->user() ? $request->user()->getPermissionArray() : [],
				// 'csrf' => $request->session()->token()
			],
			//route
			'route' => function () use ($request) {
				return [
					'params' => $request->route()->parameters(),
					'query' => $request->all(),
				];
			},
		]);
	}
}

My verifyCsrfToken:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
	/**
	 * The URIs that should be excluded from CSRF verification.
	 *
	 * @var array<int, string>
	 */
	protected $except = [
		//
	];
}

i also tried to make 'secure' => false in session.php, and clear cache, but its still not working.

My website login url is at https://data.bappeda.muaraenimkab.go.id/login (didnt work) And demo website is here https://kasir.appdev.my.id/ (work normally)

I use php 8.0 on my cpanel hosting.

0 likes
2 replies
christian-qode's avatar

@ashafizullah Have you contacted your hosting company already? Maybe they can explain this behaviour or make a change in their configuration for you.

ashafizullah's avatar

@christian-qode yes sir, i have research alot why my Inertia is not working here. And i found a problem is with strict-transport-security: max-age value is only 300 on server, its should be 31536000

Please or to participate in this conversation.