Skip to content

CSRF Protection

Laravel has built-in CSRF protection in place. It essentially prevents our app from processing any non-GET requests that don't have a valid CSRF Token in them. So, to allow a POST form to be processed, we usually need to add a @csrf Blade directive to our forms:

<form action="{{ route('') }}" method="post">
<!-- ... -->

Since Turbo.js intercepts form submissions and converts those to fetch requests (AJAX), we don't actually need the @csrf token applied to each form. Instead, Turbo.js is smart enough to read your page's meta tags, look for one named csrf-token and use its contents. Jetstream and Breeze both ship with such element, but in case you're missing it in your views, it should look like this:

<meta name="csrf-token" content="{{ csrf_token() }}">

With that being said, you may still want to use the @csrf Blade directive if you want to support users with JavaScript disabled, since the forms will still work if they contain the CSRF token.

Continue to Turbo Native...