419 Page Expired error in Laravel - Rocketeers app [ Rocketeers ](/) [Login](https://rocketeersapp.com/login) On this page Knowledge --------- 419 Page Expired error in Laravel ================================= ### [\#Laravel](https://rocketeersapp.com/knowledge/laravel) When working with Laravel you will encounter this error from time to time. Here's how you can fix this error. Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on February 23, 2024 Updated on September 18, 2024 · 1 minute read 1. [Why is the page expired?](#content-why-is-the-page-expired) 2. [When does this happen](#content-when-does-this-happen) 3. [How to fix the error](#content-how-to-fix-the-error) [\#](#content-why-is-the-page-expired "Permalink")Why is the page expired? -------------------------------------------------------------------------- Laravel uses Cross-Site Request Forgery (CSRF) as a protection mechanism, that protects your app from external HTTP requests to your application. Requests from the outside cannot always be trusted, because they can try to mingle with the data and sessions of your users. CSRF works by generating a unique and randomly generated token that only your application knows and therefore it can detect if a request is allowed by verifying this token. The token expires automatically to make sure it cannot be retrieved and used again and again. [\#](#content-when-does-this-happen "Permalink")When does this happen --------------------------------------------------------------------- A page expired error can happen when you've forgotten to send the randomly generated CSRF token along with a "POST", "PUT", "PATCH", or "DELETE" request. This typically happens when making an AJAX request or when submitting a form. [\#](#content-how-to-fix-the-error "Permalink")How to fix the error ------------------------------------------------------------------- When submitting a form, always add a hidden input named `_token` with the value set to `csrf_token()`. More easily you can use the `@csrf` Blade directive which is a shortcut to output this hidden input. If you're performing an AJAX request, then it's because you've forgotten to add the `X-CSRF-TOKEN` header to the request. You can add this header automatically to every AJAX request when using the popular [Axios](https://axios-http.com) Javascript HTTP library: ``` window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'; ``` Or when using jQuery: ``` $.ajaxSetup({ headers: { 'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') } }); ``` Another option - depending on your use case - is to [disable the verification of the CSRF token](/disable-csrf-in-laravel) for all or specific routes in your application. In case of stateless requests like API or webhooks this makes sense and is the use of API tokens or signed routes more suitable. For a deeper walkthrough of every cause and fix, including AJAX headers and expired sessions, see [CSRF token mismatch in Laravel](/csrf-token-mismatch-laravel). ### Subscribe to our newsletter Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now! Fill in your email address to receive updates Subscribe #### More in [\#Laravel](https://rocketeersapp.com/knowledge/laravel) - [How to use different PHP versions with Laravel Valet](https://rocketeersapp.com/knowledge/different-php-versions-laravel-valet) - [Disable cookies in Laravel](https://rocketeersapp.com/knowledge/disable-cookies-in-laravel) - [Logging in Laravel](https://rocketeersapp.com/knowledge/laravel-logging) - [How to check which Laravel version of your app is using](https://rocketeersapp.com/knowledge/check-laravel-version) - [Disable CSRF in Laravel](https://rocketeersapp.com/knowledge/disable-csrf-in-laravel) - [Creating an encrypted cookie value in Laravel](https://rocketeersapp.com/knowledge/creating-an-encrypted-cookie-value-in-laravel) [View all 19 articles →](https://rocketeersapp.com/knowledge/laravel)