Subdomain POST requests - CSRF protection?

Hi All

Firstly, I'm digging this new design for Laravel.IO - it just gets the job done so well. :)

Right, so I have a site built with Bolt ( that runs on the main domain (let's call this www.domain.tld). I'd like to create a Laravel app that I can install on a subdomain (let's call this formengine.domain.tld). This app would be used to process forms from the main site, and send emails.

Problem is, how do I go about making that secure? As the two apps are different, how would I get a CSRF token on the main site?

At the moment, I know I'll be using a referrer check so that people don't just send forms as and when they please from another site, or perhaps manually through the API. I may even add a X-FormPassword parameter, where the password is randomly generated by Bolt according to a specific set of patterns and rules, sent to the Laravel app and decoded. If correct, it would allow the form to be sent.

But, this is all I can think of for now. If I can't use a CSRF token, is there a better method?

Thanks, Mike

mikerockett replied 5 years ago

Perhaps I should be using CORS (

anlutro replied 5 years ago

I guess you could make an internal request to the subdomain to retrieve a CSRF token and embed that into the form, but that would be pretty hacky. CORS would probably be the clean approach.

mikerockett replied 5 years ago

I think CORS is the way. Thanks.

Sign in to participate in this thread!

We'd like to thank these amazing companies for supporting us