Level 50
I tried it on my project and I get "Method not allowed", which is the 405 error. What version of Laravel are you using?
Edit: And what happens if you post to another route that does not exist, do you get token mismatch or 405?
Jul 20, 2016
2
Level 6
TokenMismatchException instead of 405
Lately, we've been seeing some DoS attacks on our applications that execute an empty POST on /, probably aimed at making a much sessions files as possible, making the server or account run out of disk space. There is no POST route for / on this application, so I'd expect Laravel to reply with a 405 status code. However, it gives a TokenMismatchException instead (because there is no _token).
After looking in to the code Laravel used to throw this exception, I understand why it is happening, but I haven't found out how to make it behave like I want it to. I don't know of a way to only throw the TokenMismatchException when a POST route is active, because the routes are not yet loaded.
I'd like to know if and how any of you solved this. Sending an empty POST to https://spark.laravel.com does seem to give me a 405 for example.
Level 6
I think I've found out what's happening here.
I set up a vanilla Laravel install and I can indeed confirm it gives the expected 405 when firing an empty POST at /. What's in that Laravel install and is not in our project, are middleware groups. Because those groups of middleware are ran only when there is an applicable route for them, the TokenMismatchException won't be thrown because the application never gets to that point. When moving the VerifyCsrfToken from $middlewareGroups to $middleware however, it does give me the TokenMismatchException and not the 405.
Thanks for helping me find out.
Please or to participate in this conversation.