Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello everyone,
Just have a quick question about sending information from an order form on the a Vue frontend to a Laravel backend API. The form will be public for anyone to fill out but will have sensitive information such as addresses, contact numbers etc
I would like the data sent from the frontend to be encrypted, ideally have some sort restriction so only the frontend can submit orders to the backend.
Recent examples I've seen online are related to Sanctum and mostly have logins, and it's not ideal to ask public users to register/login before making an order.
Will CSRF, CORS and SSL be enough, or do I need something more?
Thank you
Csrf is in place to ensure that only your site can submit data using post, put and delete. So that alone will get you far https://laravel.com/docs/8.x/csrf
So make sure the routes use csrf protection
If you use inertia, then this is built in https://inertiajs.com/csrf-protection
@sinnbeck thanks for the quick reply!
The Laravel docs mention App\Http\Middleware\VerifyCsrfToken middleware which is included in the 'web' middleware group to verify the CSRF token.
I am currently using API routes which the Vue frontend hits. Do I just add VerifyCsrfToken middleware to the 'API' middleware group?
@gamanoryte so you don't plan to use any kind of sessions since you are using the api routes? Api is stateless
If you don't want to use web.php you can make a third routes file (and implementation) for your ajax calls
@sinnbeck Thank you, I think I'll go with web routes for now.
I was considering using Sanctum with API routes as the docs mention it provides SPA authentication:
This provides the benefits of CSRF protection, session authentication, as well as protects against leakage of the authentication credentials via XSS.
https://laravel.com/docs/8.x/sanctum#how-it-works-spa-authentication
@gamanoryte Yeah. It also uses the web middleware which the web.php routes use :)
Typically, Sanctum utilizes Laravel's web authentication guard to accomplish this
Ahh, so you don't use api.php when using Sanctum?
Do you know of any articles/examples to hand?
@gamanoryte I believe it can work with both. You can read about it here: https://laravel.com/docs/8.x/sanctum#protecting-routes
@Sinnbeck Great! Thanks for your help and time :-)
Please or to participate in this conversation.