Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
If I were to create an SPA using Vue.js, what extra steps should I take to make sure I'm not vulnerable to CSRF and XSS attacks?
Assume that I'm using localstorage to keep JWT tokens on the client-side.
Hi,
For CSRF you can use X-CSRF-TOKEN : https://laravel.com/docs/5.2/routing#csrf-x-csrf-token
For XSS, I think is not a problem with VueJS, just use {{ }} and @{{ }} for VueJS in your blade views
JWT, I think you can use simple login(session)
Add the csrf_token in your html head as a meta tag
<meta id="token" name="token" content="{{ csrf_token() }}">
Then in your Vue.js Main File add this token to your Vue Instance.
Vue.http.headers.common['X-CSRF-TOKEN'] = document.querySelector('#token').getAttribute('content');
Please or to participate in this conversation.