Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Any Livewire Update request can be copied from the network tab and imported into Postman. It will work simply as working in the browser, which is violating the usage of the checksum and livewire _token included in the body of the update request.
I have added middleware checks and other checks inside the component but it still works with the _token and checksum from the browser call.
I think there should be randomized checksum which will prevent such issues, like the csrf token in laravel.
Have you tried adding Persistent Middleware.
Your postman would work if you didn't modify anything. The fundamental security underpinning Livewire is a "checksum" that travels along with request/responses and is used to validate that the state from the server hasn't been tampered with in the browser.
@Braunson Thank you for your response.
Yes, I have added Persistent Middleware.
You are right, I have been digging on this and that's the scenario I get everywhere of checksum.
But dont you think that this is not right to let the call from anywhere else other then Laravel?
@abdulrehman25 No different than having an API key.
Please or to participate in this conversation.