Laravel allowing post requests without csrf token (using Axios/ajax)

it has actually csrf token take a look to bootsrap.js file

/**
 * Next we will register the CSRF Token as a common header with Axios so that
 * all outgoing HTTP requests automatically have it attached. This is just
 * a simple convenience so we don't have to attach every token manually.
 */

let token = document.head.querySelector('meta[name="csrf-token"]');

if (token) {
    window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
} else {
    console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}

because of these lines you can simply post without including csrf token manually in each request with axios

You sure the csrf is not passed? Did you check the headers in the post request in your browser development console?

With the default Laravel setup the csrf token is automatically added to all requests for axios. See: https://github.com/laravel/laravel/blob/29a1739099a2011f5de2a60fccf1c4ac16f007cf/resources/assets/js/bootstrap.js#L33-L39

Yes, what @rin4ik says ;-)

Well, if I cleared out the app.js file before adding my own js shouldn't that prevent that from being loaded or does it still get imported someplace?

nope it'll not imported

The csrf token isn't in the header after I checked. lol. the xsrf is, but not the csrf.

it is the same

window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;

token content is that csrf

let token = document.head.querySelector('meta[name="csrf-token"]');

If you are 100% sure the csrf token is not passed it is also possible you simply do not check on the csrf token.

Do you have the VerifyCsrfToken middleware set on your route? If you are not sure simplest way to check is: Step through your code with xdebug and set a breakpoint in the VerifyCsrfToken::inExceptArray() for example. Or just add dd('HELLO') in the same method. If you are still able to post you do not have the csrf verify middleware set on your route.

So, just to clarify. It's ok for a post to be accepted when just the XSRF token is passed in, but not a CSRF token since they're the same thing? XSRF will prevent XSS?

if these are api.php routes then csrf is not applied

Hi there, I know this is an old post but I was struggling with the same issue and first thought my routes were not protected. However, after looking at the Laravel Docs. This is mentioned in the CRSF page here Quoting :

Laravel stores the current CSRF token in a XSRF-TOKEN cookie that is included with each response generated by the framework. You can use the cookie value to set the X-XSRF-TOKEN request header.

This cookie is primarily sent as a convenience since some JavaScript frameworks and libraries, like Angular and Axios, automatically place its value in the X-XSRF-TOKEN header.

Laravel first tries to get the CSRF token from the parameter called _token in the post request, and if missing, THEN it tries to get it from a X-CSRF-TOKEN header and then the X-XSRF-TOKEN. In: /vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php

protected function getTokenFromRequest($request)
{
	$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

        if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
            $token = $this->encrypter->decrypt($header, static::serialized());
        }

        return $token;
}