# CSRF Protection

To learn about cross-site request forgeries, see Laravel docs (opens new window).

Lighthouse provides mitigation against CSRF attacks through the Nuwave\Lighthouse\Support\Http\Middleware\EnsureXHR middleware. Just add it as the first middleware for the Lighthouse route in config/lighthouse.php:

    'route' => [
        // ...
        'middleware' => [
            Nuwave\Lighthouse\Support\Http\Middleware\EnsureXHR::class,

            // ... other middleware
        ],
    ],

It forbids:

GET requests
POST requests that can be created using HTML forms

It allows:

other request methods
POST requests with the header X-Requested-With: XMLHttpRequest
POST requests with a Content-Type that can not be set from HTML forms

Caveats:

Old browsers (IE 9, Opera 12) don't support XHR requests
You won't be able to use GraphQL queries through GET requests or HTML forms

← Authorization Validation →