Understanding 419 Status Code for POST and PUT Methods in Laravel API

When developing a RESTful API using Laravel, it's common to encounter the 419 status code for POST and PUT methods. This error occurs due to Laravel's CSRF token verification process.

In Laravel 5.4 and earlier versions, CSRF tokens are enabled for all requests, including POST and PUT methods. This is to protect the application from cross-site request forgery (CSRF) attacks. By default, CSRF tokens are added to the view as hidden fields within forms.

When a POST or PUT request is submitted, Laravel expects to receive a valid CSRF token along with the request data. If a valid token is not found, Laravel generates a "419 CSRF token mismatch" exception and returns a 419 status code response.

Excluding Routes from CSRF Protection

To resolve this issue, you can exclude certain routes from CSRF token verification. In Laravel 5.5 and above, you can use the api.php file instead of web.php for API routes, and CSRF verification is not enabled by default.

If you are using web.php for API routes, you can exclude them from CSRF token verification by adding their URIs to the $except property of the VerifyCsrfToken middleware. For example:

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;

class VerifyCsrfToken extends BaseVerifier
{
    protected $except = [
        '/api/*',
    ];
}

This will exclude all routes starting with /api from CSRF token verification.

Alternative Solution for Non-API Routes

If excluding routes from CSRF protection is not suitable, you can disable CSRF verification for specific methods within a route group. For example:

Route::group(['middleware' => 'web'], function () {
    Route::post('/my-route', 'MyController@store')->withoutMiddleware('verify-csrf-token');
});

This will disable CSRF token verification for the POST request to /my-route.