Why does the Laravel API return a 419 status code on POST and PUT methods?
This can solve by excluding csrf protection of specific route you want to.
Inside your middleware folder, edit the file called VerifyCsrfToken.php
protected $except = [
'http://127.0.0.1:8000/person/'
];
As per my Knowledge there are two methods to solve this
Method 1: Add CsrF Token
Method 2: Exclude URIs from CSRF protection
How to use
Method 1: Add one more variable to your POST request
_token: "{{ csrf_token() }}"
Example for Ajax
req = $.ajax({
type: "POST",
url: "/search",
data: {
"key": "value",
_token: "{{ csrf_token() }}",
},
dataType: "text",
success: function(msg) {
// ...
}
});
Example if you using forms
<input type="hidden" name="_token" id="token" value="{{ csrf_token() }}">
Method 2: There is a file named VerifyCsrfToken
in following location
yourProjectDirectory/app/Http/Middleware
Add your URL in following method
protected $except = [
'url1/',
'url2/',
];
When To use
If you are the owner(full control) of API, use Method 1, as CSRF Token adds security to your application.
If you are unable to add CSRF Token like in case if you are using any third party API's, webhooks etc., then go for Method 2.
If you are developing REST APIs, you better not add tokens. If you are using 5.4 or 5.5 you can use api.php
instead of web.php
. In api.php
you don't need token verifcation on post requests.
If you are using web.php
, then you can exculde routes that you don't want to validate with CSRF Tokens.
Here is the official documentation:
Excluding URIs From CSRF Protection
Sometimes you may wish to exclude a set of URIs from CSRF protection. For example, if you are using Stripe to process payments and are utilizing their webhook system, you will need to exclude your Stripe webhook handler route from CSRF protection since Stripe will not know what CSRF token to send to your routes.
Typically, you should place these kinds of routes outside of the
web
middleware group that theRouteServiceProvider
applies to all routes in theroutes/web.php
file. However, you may also exclude the routes by adding their URIs to the$except
property of theVerifyCsrfToken
middleware:<?php namespace App\Http\Middleware; use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier; class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array */ protected $except = [ 'stripe/*', 'http://example.com/foo/bar', 'http://example.com/foo/*', ]; }
For reference https://laravel.com/docs/5.5/csrf