We're using laravel 5.3's built in csrf protection via {{ csrf_field() }} method.
When we've been running security scans that are obviously failing, the server is returning a 500 Internal Server Error
However this isn't actually a server error - as it is the client sending bad information - thus it should fall into the 400 Error range.
I've done a small bit of digging and cant quite see how it actually returns the 500.
Would anybody be able to suggest how to change this response to something else?
You can override this through your App/Http/Middleware/VerifyCSRFToken.php file like so:
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
use Illuminate\Session\TokenMismatchException;
class VerifyCsrfToken extends BaseVerifier {
public function handle($request, Closure $next) {
try {
return parent::handle($request, $next);
} catch (TokenMismatchException $ex) {
// throw custom exception like so: throw new CustomException($ex->getMessage());
// or new HttpException with response code like so: abort(403, $ex->getMessage());
}
}
}
In Laravel 5.3 you go to app/Exceptions/Handler.php and edit the render() function.
public function render($request, Exception $exception)
{
if ($exception instanceof TokenMismatchException) {
//do some stuff here.
}
return parent::render($request, $exception);
}