clarify which <form> methods need CSRF protection (#7054)

Help users understand that "POST", "PUT", "PATCH", and "DELETE" methods require CSRF protection, while "HEAD", "GET" and "OPTIONS" requests do not. https://github.com/laravel/framework/blob/8.x/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php#L94
laravel · May 7, 2021 · 1ca38aa · 1ca38aa
1 parent ec71f67
commit 1ca38aa
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/csrf.md b/csrf.md
@@ -47,7 +47,7 @@ The current session's CSRF token can be accessed via the request's session or vi
         // ...
     });
 
-Anytime you define an HTML form in your application, you should include a hidden CSRF `_token` field in the form so that the CSRF protection middleware can validate the request. For convenience, you may use the `@csrf` Blade directive to generate the hidden token input field:
+Anytime you define a "POST", "PUT", "PATCH", or "DELETE" HTML form in your application, you should include a hidden CSRF `_token` field in the form so that the CSRF protection middleware can validate the request. For convenience, you may use the `@csrf` Blade directive to generate the hidden token input field:
 
     <form method="POST" action="/profile">
         @csrf