Proposal: Improve DX for disabling the XSRF-TOKEN cookie

[WterBerg]

In previous Laravel versions (<11.x), one could easily disable the XSRF-TOKEN HTTP cookie by setting the $addHttpCookie class property of https://github.com/laravel/laravel/blob/10.x/app/Http/Middleware/VerifyCsrfToken.php to false.

This no longer works in the "new" application structure introduced in Laravel 11. New Laravel projects no longer include this middleware by default. Extending the VerifyCsrfToken (or ValidateCsrfToken, it was renamed) middleware as you used to do is no longer automatically picked up by Laravel. The "base" implementation (\Illuminate\Foundation\Http\Middleware\ValidateCsrfToken) is always used.

// src/Illuminate/Foundation/Configuration/Middleware.php
    
    public function getMiddlewareGroups()
    {
        $middleware = [
            'web' => array_values(array_filter([
                \Illuminate\Cookie\Middleware\EncryptCookies::class,
                \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
                \Illuminate\Session\Middleware\StartSession::class,
                \Illuminate\View\Middleware\ShareErrorsFromSession::class,
                \Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class, // <<
                \Illuminate\Routing\Middleware\SubstituteBindings::class,
                $this->authenticatedSessions ? 'auth.session' : null,
            ])),

The only workaround I've found for this, is to manually replace this middleware with my own implementation like so:

// app/Http/Middleware/ValidateCsrfToken.php

<?php declare(strict_types=1);

namespace App\Http\Middleware;

final class ValidateCsrfToken extends \Illuminate\Foundation\Http\Middleware\ValidateCsrfToken
{
  protected $addHttpCookie = false;
}

// bootstrap/app.php

->withMiddleware(function(Middleware $middleware) {
  $middleware->web(replace: [
    \Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class => \App\Http\Middleware\ValidateCsrfToken::class
  ]);
})

This is quite verbose and cumbersome to implement.

Proposal

Ideally the Laravel framework would provide developers some way to express the desire to disable this cookie that is both expressive and concise.

One could expand the method signature of public function validateCsrfTokens(array $except = []) to include a secondary, optional argument:

// bootstrap/app.php

->withMiddleware(function(Middleware $middleware) {
  $middleware->validateCsrfTokens(addHttpCookie: false);
})

Or, an additional method is added to Middleware:

// bootstrap/app.php

->withMiddleware(function(Middleware $middleware) {
  $middleware->withoutCsrfCookie();
})

These are just two examples on how this could be changed/improved.