Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

thesimons's avatar

Excluding route from CSRF doesn't work

Hello,

according to Laravel manual I have edit he bootstrap/app.php in the following way

return Application::configure(basePath: dirname(__DIR__))
   ->withRouting(
       web: __DIR__ . '/../routes/web.php',
       api: __DIR__ . '/../routes/api.php',
       commands: __DIR__ . '/../routes/console.php',
       channels: __DIR__ . '/../routes/channels.php',
       health: '/up',
   )
   ->withMiddleware(function (Middleware $middleware) {
       $middleware->validateCsrfTokens(except: [
           '/checkout/complete/*',
           'https://secure1.domain.test/checkout/complete/*',
       ]);
   })
   ->withExceptions(function (Exceptions $exceptions) {
       //
   })->create();

However I keep getting 419 from a post call to https://secure1.domain.test/checkout/complete/.

What's wrong am I doing?

Thanks, Simon

0 likes
3 replies
tykus's avatar

If the wildcard segment might not exist, then include that as an explicit option in the excluded URIs

$middleware->validateCsrfTokens(except: [
  '/checkout/complete',
  '/checkout/complete/*',
]);
gburi's avatar

The except pattern you're using might not be matching the exact URL. Try these variations:

php $middleware->validateCsrfTokens(except: [ '/checkout/complete/', 'secure1.domain.test/checkout/complete/', // without https:// 'secure1.domain.test/checkout/complete/', // with wildcard '/checkout/complete/', // more general ]);

thesimons's avatar

Hello,

I fixed by matching the exact pattern ///* (I have 3 arguments).

I was thinking that wildcard was for "whatever after".

Thanks for your inputs.

Thanks, Simon

Please or to participate in this conversation.