menu

CSRF Token in Web Development: Secure Your React, Next.js, Django & Laravel Apps

posted Originally published at medium.com 1 min read

CSRF (Cross-Site Request Forgery) is a type of malicious exploit where unauthorized commands are transmitted from a user that the web application trusts.

What Does That Mean?
Let’s say you’re logged into your bank account and unknowingly visit a malicious website. That website secretly sends a request (using your active session) to transfer money — without your permission. Yikes!

That’s where CSRF Tokens step in to protect your application.

⚙️ How Does CSRF Protection Work?

A CSRF token is a secret, unique value generated by the server and included in web forms or responses. When the client (browser/frontend) sends a state-changing request (like POST or DELETE), it must include this token. If the server receives the request without a valid token, it’s rejected.

CSRF in React & Next.js

In frontend apps like React or Next.js, you must:

Fetch the CSRF token (usually via a dedicated endpoint like /csrf-token)
Store it (preferably in memory or context)
Send it back via headers (X-CSRFToken) in all unsafe HTTP requests

fetch('/api/data', {
  method: 'POST',
  headers: {
    'X-CSRFToken': csrfToken,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ ...data }),
  credentials: 'include'
});

CSRF in Django
Django comes with CSRF protection out of the box via middleware. You can extract and return the CSRF token using:

from django.middleware.csrf import get_token

def csrf_token_view(request):
    token = get_token(request)
    return JsonResponse({'csrfToken': token})
Use X-CSRFToken header in frontend requests and Django will validate it against the session.

CSRF in Laravel
Laravel uses the VerifyCsrfToken middleware and offers the CSRF token via Blade templates or API routes:

Route::get('/csrf-token', function () {
    return response()->json(['csrfToken' => csrf_token()]);
});

In your JS code, include this token in the headers for secure requests.

If you're not handling CSRF tokens properly:

Your users are vulnerable.
Your app is unsafe.
Your API is exposed.

I’ve written a full breakdown with visuals, best practices, and a detailed frontend-backend walkthrough here:

Are you using CSRF in your stack? What’s your implementation style?

Let me know in the comments!

Great breakdown of CSRF and how it applies across different stacks—really appreciate the clear examples! Curious though, how do you handle CSRF in apps that rely heavily on APIs with mobile clients or third-party integrations where storing tokens isn’t straightforward?

0 votes

I think best practice for React is to use jwt, not CSRF.
What do you think about this?

0 votes

I think it depends on how you're handling authentication.

If you're using JWTs stored in localStorage or memory, then yeah — you typically don't need CSRF protection because the token is sent manually in headers.

But if you're using cookies to store the JWT or session, then CSRF protection is important, since browsers automatically send cookies with requests — which is what CSRF attacks rely on.

So it’s not really "JWT vs CSRF" — they solve different problems. The key is how you're storing and sending the auth data.

0 votes

More Posts

Local-First: The Browser as the Vault

Pocket Portfolioverified - Apr 20

How I Built a React Portfolio in 7 Days That Landed ₹1.2L in Freelance Work

Dharanidharan - Feb 9

Implementing Secure Authentication in Modern Web Apps: OAuth 2.0 & JWT with Angular and Node.js

Sunny - Oct 2, 2025

Laravel 12 & Laravel Cloud: The Next Big Leap in Web Development

Snehal Kadwe - Mar 9, 2025

React Native Quote Audit - USA

kajolshah - Mar 2
chevron_left

More From Raj Aryan

Designing Viral UX/UI That Spreads Itself

CSS Styling Images: From Thumbnails to Polaroids – A Complete Guide

The Digital Classroom: What We’ve Gained—and What We’ve Lost

Related Jobs

View all jobs →

Commenters (This Week)

1 comment
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!