How can I try sending a post request to a Laravel app with Postman?
Normally Laravel has a csrf_token
that we have to pass with a POST/PUT request. How can I get and send this value in Postman? Is it even possible without turning off the CSRF protection?
Ah wait, I misread the question. You want to do it without turning off the CSRF protection? Like Bharat Geleda said: You can make a route that returns only the token and manually copy it in a _token
field in postman.
But I would recommend excluding your api calls from the CSRF protection like below, and addin some sort of API authentication later.
Which version of laravel are you running?
Since 5.2 the CSRF token is only required on routes with web
middleware. So put your api routes outside the group with web
middleware.
See the "The Default Routes File" heading in the documentation for more info.
You can exclude routes which should not have CSRF protection in the VerifyCsrfToken
middleware like this:
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'api/*',
];
}
See the "Excluding URIs From CSRF Protection" heading documentation for more info.
thanks, yeah that makes more sense, for API instead of CSRF, using authentication is the best option
Can't get this to work in Laravel 5.5. Postman just showing "page has expired due to inactivity"- which means the token is rejected / or not working..?
@Inigo That is the new page for TokenException, so your token is rejected. Probably because your sessions are not working properly. Check if your storage folder is writable for sessions.
@Hilmanrdn: Bit late to the game, but I'd recommend using both — they're designed to solve completely different security vulnerabilities.