LaravelCSRFSessionsSecurity
A form or API call returns 419 Page Expired and you have no idea why. Laravel returns 419 when CSRF protection rejects a request — the token is missing, expired, or the session cookie never made it back. Let's fix each cause.
The Error
419 | Page Expired (or: CSRF token mismatch.)
Cause 1: Missing @csrf in a Blade Form
html
<form method="POST" action="/profile">
@csrf
<!-- fields -->
</form>Cause 2: AJAX Without the Token Header
html
<meta name="csrf-token" content="{{ csrf_token() }}">javascript
axios.defaults.headers.common["X-CSRF-TOKEN"] =
document.querySelector('meta[name="csrf-token"]').content;Cause 3: Session/Cookie Domain Misconfigured
If your SPA and API are on different subdomains, the session cookie must be shared. Set these in .env:
bash
SESSION_DOMAIN=.example.com
SANCTUM_STATEFUL_DOMAINS=app.example.com
SESSION_SAME_SITE=laxSPA + Sanctum
For a JS SPA, call /sanctum/csrf-cookie once before your first POST so Laravel sets the XSRF-TOKEN cookie. Axios then sends it back automatically.
Warning
Cleared config recently? Run php artisan config:clear and php artisan cache:clear. A stale config cache is a sneaky cause of persistent 419s.
