What is CSRF protection in Laravel?
Why Interviewers Ask This
Interviewers use this question to quickly assess whether a candidate has the foundational knowledge required for Laravel development. It reveals whether you understand the building blocks that more complex concepts rely on.
Answer
Laravel automatically protects all web routes against Cross-Site Request Forgery (CSRF) attacks via the VerifyCsrfToken middleware. For every HTML form, add the @csrf Blade directive which generates a hidden input field containing a unique token: <input type="hidden" name="_token" value="...">. Laravel validates this token on every POST, PUT, PATCH, and DELETE request — if the token is missing or invalid, a 419 (Page Expired) response is returned. For AJAX requests, include the token in the request headers: X-CSRF-TOKEN. Axios (included in Laravel's frontend scaffolding) automatically includes the CSRF token from the meta tag in all AJAX requests. Exclude specific URIs with $except in the middleware class (e.g., webhook endpoints).
Pro Tip
Before answering, structure your response: one-line definition → real-world analogy → concrete example from a project. This makes even complex Laravel answers easy to follow.