Get your next remote job on LaraJobs.
2 contributors Edit on GitHub Laravel Security

Here's how to fix the "419 Page Expired" error in Laravel

Table of contents:

Here's how to fix the "419 Page Expired" error in Laravel

Introduction

Have you ever encountered the “Page Expired” error with the HTTP code 419 in your Laravel applications?

It’s often a simple issue related to CSRF (Cross-Site Request Forgery) tokens.

Let’s see what it means and how to fix it.

Why “419 Page Expired” happens and how to fix it

In your Laravel 8, 9 or 10 applications, whatever the version you are running is, you have likely used the @csrf directive in your forms.

This directive generates a hidden input field containing a CSRF token automatically included when submitting the form.

This token confirms that the form is being submitted from your application and not by a third party.

Errors like the “419 Page Expired” occur when the CSRF token is mismatched. This can happen for various reasons:

  • Sometimes, you just let the page open for too long and the token expires, which is a good thing. Just click the refresh button in your browser and re-send the form.
  • Or it might be because you forgot to include the @csrf directive in your form. This is problematic because, by default, Laravel expects the CSRF token to be present thanks to the VerifyCsrfToken middleware that filters the requests.

Learn more on Laravel’s documentation about Cross-Site Request Forgery protection.

Disable CSRF protection on some pages

Occasionally, you may want to disable CSRF protection on some pages and kill those 419 HTTP codes.

Instead of removing the middleware from the kernel, specify which pages you want to exclude from being protected.

In app/Http/Middleware/VerifyCsrfToken.php:

namespace App\Http\Middleware;
 
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
 
class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array<int, string>
*/
protected $except = [
'/some-page',
'/some-other-page',
];
}
Benjamin Crozat

Written by Benjamin Crozat
and 1 contributor

Indie hacker, blogger, and AI enthusiast building things with the TALL stack. 🔥

Follow me on:

Many thanks to Leonardo Poletto for the help!

Recommended articles

12 Laravel security best practices for 2023 12 Laravel security best practices for 2023

Secure your Laravel app: protect sensitive files, keep your packages and Laravel updated, use policies, validate input, and more.

Modified on Sep 5, 2023

20+ Laravel best practices, tips and tricks to use in 2023 20+ Laravel best practices, tips and tricks to use in 2023

Learning a framework can be overwhelming, but time and execution will make you a master. Here are some best practices to help you toward your goal.

Modified on Oct 17, 2023

9 testing best practices for Laravel in 2023 9 testing best practices for Laravel in 2023

Are you familiar with testing? Good. Here are a bunch of best practices to help you level up even more!

Modified on Oct 27, 2023

Laravel interview questions and answers for 2023 Laravel interview questions and answers for 2023

Nailing a Laravel job interview can be a daunting task, but with the right preparation and mindset, you can set yourself up for success.

Modified on Sep 19, 2023 Audio available

How does Laravel work? A crystal clear explanation. How does Laravel work? A crystal clear explanation.

Discover my step by step and simple explanation of how Laravel makes your life easier.

Published on Oct 31, 2023

Gold sponsors New

  • Wire Elements
    Beautiful handcrafted Livewire components.
    Check site
Your business here

Partners

If you buy from one of my partners below, I will be compensated at no cost to you. These are services I use or used, and 100% stand behind.

  • Scalable and reliable VPS hosting.
    Bonus: $200 of free credits
    Check site
  • The Google Analytics alternative without compromise.
    Free trial: 30 days
    Bonus: $10 off your first invoice
    Check site
  • Flare
    Track PHP and JavaScript errors in one place.
    Free trial: 10 days
    Check site
  • Keep track of your Google rankings.
    Free trial: 7 days
    Promo code: WELCOME30
    Check site
- / -