What is CSRF protection in Laravel?

Answer

Laravel automatically protects all web routes against Cross-Site Request Forgery (CSRF) attacks via the VerifyCsrfToken middleware. For every HTML form, add the @csrf Blade directive which generates a hidden input field containing a unique token: <input type="hidden" name="_token" value="...">. Laravel validates this token on every POST, PUT, PATCH, and DELETE request — if the token is missing or invalid, a 419 (Page Expired) response is returned. For AJAX requests, include the token in the request headers: X-CSRF-TOKEN. Axios (included in Laravel's frontend scaffolding) automatically includes the CSRF token from the meta tag in all AJAX requests. Exclude specific URIs with $except in the middleware class (e.g., webhook endpoints).