Access all of Typerocket. Get Pro.
CSRF
( v5 )
Getting Started
You can add CSRF protection to your site's forms by using the middleware \App\Http\Middleware\VerifyNonce
. You will need to register the middleware to your \App\Http\Kernel
. By default, it is applied to any request using the http
group (controllers called by internal WordPress hooks have their own CSRF protections).
class Kernel extends HttpKernel
{
protected $middleware = [
'hooks' =>
[],
'http' =>
[ \App\Http\Middleware\VerifyNonce::class ],
...
];
}
TypeRocket forms automatically come with the needed CSRF tokens needed for verification when you echo
the open()
method or the form itself.
$form = tr_form([]);
echo $form->open();
echo $form->text('Name');
echo $form->close('Save');
If you have a custom HTML for you can use the tr_field_nonce()
function to add the CSRF token to your site.
<form>
<?php echo tr_field_nonce(); ?>
</form>
axios
If you are using axios you can add a CSRF token header to all requests it sends.
<script>
axios.defaults.headers.common['X-WP-NONCE'] = '<?php echo tr_nonce(); ?>';
</script>
Excluding Routes
You can exclude specific routes from the CSRF check if you like by adding those routes to your \App\Http\Middleware\VerifyNonce
middleware $except
property. You can also use the wildcard *
to match any value for a specific path part.
class VerifyNonce extends BaseVerify {
public $except = [
'api/my-path',
'api/public/*'
];
}
Found a typo? Something is wrong in this documentation? Fork and edit it!