Support the ongoing development of →
Security Session Forms
Last updated 2 years ago.

I cannot think of any downfall in this case. But I prefer to put in in the head as meta tag.

Last updated 2 years ago.

Yea, I have a meta tag in the master view for my apps so the csrfToken is always available. Most of my app a using ajax calls, so my JS yanks the meta value into a top level property in my app js module that can be accessed anywhere in my code.

I don't really see a down fall to having it in there. It changes every reload so I don't think there is a major security concern with it. Who knows though, maybe there is, but for now I think it's fine.

This is whats in the head of my master template:

<meta name="csrf_token" content="{{ csrf_token() }}">
Last updated 2 years ago.

so on your ajax calls you just define

data: { csrf_token: $('[name="csrf_token"]').attr('content') }
Last updated 2 years ago.

I just posted a question to Stack Overflow ( about adding a

    var csrfToken = {{ tokenValue }}

in a Go server. I can't think of any security issues with this, but I am not a security expert.


Sign in to participate in this thread!


Your banner here too?


We'd like to thank these amazing companies for supporting us

Your logo here?

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 - All rights reserved.