Laravel: Is CSRF protection needed in API?

E

Eugene2018-02-07 12:08:20

CSRF

Eugene, 2018-02-07 12:08:20

I am implementing a small API, everything is installed initially out of the box.

Route::apiResources([
            '/events'    => 'API\EventsController',
            '/schedulers' => 'API\Schedulers Controller',
        ]);

But only GET requests are processed along the route, all the rest are ignored (The page has expired due to inactivity error).
I started to understand and realized that it was in CSRF. So far commented out the middleware "\App\Http\Middleware\VerifyCsrfToken::class,". Only it is in the WEB section, it is not available for the API.
Maybe I'm approaching API development in the wrong way?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

T

Tesla, 2018-02-07
@Tesla

For the API, laravel already has a middleware group apiin app\Http\Kernel.php.
CSRF protection is not designed to protect APIs. API Authentication (Passport)

A

Andreo, 2018-02-07
@chupacabramiamor

We need details on how you authorize the user through the API, because there is a suspicion that you do not give an authorization token during this authorization or do not use it when making requests to secure nodes.
And yes. CSRF does not work in API requests, since sessions are used to store the verification token, which, in turn, are not used in the API.