When I use a form to post to the /login route, a valid CSRF token is needed.
<form role="form" method="POST" action="/login">
However, I can login completely without the token simply using:
axios.post("/login", { email:this.email, password:this.password })
.then((res) => {
window.location.href = "/dashboard";
})
This is a security risk, right? Why is that? How can I fix it?
CodePudding user response:
It's not a vulnerability. If you check your resources/js/bootstrap.js
file, a comment explains this.
/** * We'll load the axios HTTP library which allows us to easily issue requests * to our Laravel back-end. This library automatically handles sending the * CSRF token as a header based on the value of the "XSRF" token cookie. */
If you inspect the request made in the network tab of your browser's dev tools, you will see the XSRF-Token header.
CodePudding user response:
just add this in your frontend.blade.php file head:
<meta name="csrf-token" content="{{ csrf_token() }}">
And in your bootstrap.js file it is well protected by declaring and authorizing axios.