1、laravel 默认是不对 对于重要的读请求进行 csrf-token 验证的,但是对于对于一些重要的读方法,也可以添加保护。
protected function isReading($request)
{
return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
}
2、对读请求加 csrf-token 验证
(1)namespace Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
/*修改方法*/
public function handle($request, Closure $next)
{
if ($this->isReading() && $this->mustVerifyCsrfToken($request)) {
if (!$this->tokensMatch()) {
throw new TokenMismatchException;
}
}
if (
$this->isReading($request) ||
$this->runningUnitTests() ||
$this->shouldPassThrough($request) ||
$this->tokensMatch($request)
) {
return $this->addCookieToResponse($request, $next($request));
}
throw new TokenMismatchException;
}
/* 添加方法 */
protected function mustVerifyCsrfToken($request)
{
foreach ($this->mustVerify as $must) {
if ($must !== '/') {
$must = trim($must, '/');
}
if ($request->is($must)) {
return true;
}
}
return false;
}
(2)namespace WebGroup\Http\Middleware\VerifyCsrfToken;
修改类,添加 $mustVerify 属性
class VerifyCsrfToken extends BaseVerifier
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
//
];
/**
* The URIs with reading method (['HEAD', 'GET', 'OPTIONS']) that must pass CSRF verification.
*
* @var array
*/
protected $mustVerify = [
//
];
}