CSRF Token

I am using Laravel and It pass CSRF_TOKEN as header. I can't use webix_security because I am using json. So How to use CSRF_TOKEN with Laravel?



  • Hi,

    It is possible to use "data proxy" to hide the details of CSRF token receiving and sending.


    Can you point please to related doc, how CSRF token is provided and how it must be sent back for Laravel backend?

  • edited April 2015

    Thank you. I defined X-XSRF-TOKEN header. It works.

    in Webix

    webix.ajax().headers({'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')});

    In Laravel5

    < meta name="csrf-token" content="<?php echo csrf_token()?>" />

  • Is it possible to pass CSRF tokens on filemanager actions?

  • Hello,

    The existent version does not provide solution to add header.

    But we will add a solution in the next build. The 5th parameter for onBeforeAjax handlers will be hash of request headers.

  • Thanks for the response Maria. I guess I'll have to wait. =)

  • The build is planned to be released within the next 1-2 weeks. If you need the solution ASAP, please open a ticket in members' area.

  • Hi, how can i add CSRF token to filemanager actions?

        webix.attachEvent("onBeforeAjax", function(mode, url, data, request, headers, files, promise){
            headers["X-CSRF-TOKEN"]= $('meta[name="csrf-token"]').attr('content');

    It works except downloading action.

  • Downloading action navigates a browser to the target file, there is no ajax call here so extra headers can't be added.

    It possible to implement your own action, which will download file by ajax request, in which case the same onBeforeAjax event will work for header modification.

  • Hello, I set a security plugin for cakephp and start loading over

    webix.ajax().post(path+'0', object, ...

    object is a json object.

    Also I have set:

    function(mode, url, data, request, headers){
    'use strict';
    headers['X-CSRF-Token'] = <_Token>;

    But I'll get :

    '_Token' was not found in request data.


    '_Token.fields' was not found in request data.

    this would be nessesary if I submit a form. But in most cases I just post json objects.

    If you got an idea, please let me know.


  • The onBeforeAjax handler must affect all ajax calls
    You can use dev.tools to check the HTTP request headers, to be sure that valid token header is added to the request

  • Hi maksim.

    On html page I set :

    <?= $this->request->getParam('_csrfToken') ?>

    and in

    function(mode, url, data, request, headers){
    'use strict';
    headers['X-CSRF-Token'] = $('#csrfToken').html();

    but on:

    webix.ajax().post(path, object, {})

    I'll get

    '_Token' was not found in request data.

    that meants this will interpreted as a form submit with a hidden field for _Token[fields]=!

    Request header has X-CSRF-Token:

    Response header got: HTTP/1.1 400 Bad Request

  • If request has a valid token, than it must be some mis-configuration on the server side. ( be sure that token is exactly same, if token string has some special chars, they may be corrupted by HTML parser )

  • edited February 5

    Thank you maksim.

    One example with a login form:
    I come along with this csrf-token for a formbuilder in cakephp I'll get this
    on submit to server I'll get this:
    email: test@ema.il
    password: test1234
    _Token[fields]: 55e5bf45c46dcd370a9fc1cda0de12a55356345a%3A
    _Token[debug]: %5B%22%5C%2FUsers%5C%2Flogin%22%2C%5B%22email%22%2C%22password%22%5D%2C%5B%5D%5D

    automatic in a form. The Token will be checked on server side but on sending json I should always send this Token with the json. How can I add this Token always with a json object?

    Does it as something to do with JSON Web Token?

    THank you for any hint


  • You can use the same onBeforeAjax event, third parameter is the post payload ( hash of keys, or json object ) which can be altered similar to he headers.

  • Hello.

    Thank you maksim. The problem is middleware provides security formbuilder functionality. means every form build with cakephp (or symfony) gets this _Token[fields] etc... but when building a webix form there is no such security build in. So I have to add this afterwards. Is there a possibility to send this security Token also with webix formbuilder?

    Thank you

Sign In or Register to comment.