CSRF protection
Cross-Site Request Forgery (CSRF) protection prevents malicious websites from submitting forms on behalf of a logged-in user. ShopWired supports CSRF protection for all forms used in your theme, but it is not enabled by default.
To enable it on your website you'll need to:
- Make changes to your theme's code
- Contact theme support and ask them to enable the CSRF protection setting on your ShopWired account
It's important not to enable the setting before the changes have been made to your theme's code, otherwise forms on your website will not work correctly. Once enabled, all your theme's forms must be tested thoroughly to ensure they are working as intended.
If you need help updating your theme, contact theme support.
Why enable CSRF protection
CSRF protection helps secure your forms from unauthorised submissions. It’s especially important for any form that handles customer data, such as contact forms, account pages, login or signup forms, and newsletters.
When CSRF protection is enabled, every POST request from your theme must include a valid CSRF token. This token proves the request originated from your own website and not another domain.
PCI compliance scans
Some PCI compliance scanners (for example, those used by payment providers such as Worldpay) may flag missing CSRF tokens as a security vulnerability if your forms do not include them.
A failed PCI scan may list a warning similar to:
No CSRF tokens detected for POST request to /account/create or /account/loginThis occurs because the scanner checks for anti-CSRF tokens in all POST forms on your website. If CSRF protection has not been enabled on your ShopWired account, these warnings can appear even though your site remains secure under normal operation.
Adding CSRF protection to your theme
Adding CSRF protection to your theme
You’ll need to add a token to every form in your theme that sends data using a POST method.
Insert the {{ csrf_field() }} helper within each form element.
Example
<form method="post" action="/account/edit">
{{ csrf_field() }}
<input type="text" name="first_name">
<button type="submit">Save</button>
</form>
The {{ csrf_field() }} helper outputs a hidden input field containing the CSRF token automatically.
AJAX requests
If your theme uses AJAX to submit forms, you’ll need to include the CSRF token manually in the request header.
Add the following meta tag to your page:
<meta name="csrf-token" content="{{ csrf_token() }}">
Then, update your JavaScript to include the token when sending a POST request.
Example (jQuery)
const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
$.ajax({
url: '/account/edit',
type: 'POST',
data: { first_name: 'John' },
headers: { 'X-Csrf-Token': token }
});
This ensures all AJAX-based requests include the required token and pass CSRF validation.
Common errors
Common errors
If CSRF protection is enabled but a token is missing or invalid, your form submission will fail and return a 422 error with a message such as Invalid or missing CSRF token.
This usually happens when:
- The
{{ csrf_field() }}tag is missing from a form - A page is cached for too long and the token expires
- An AJAX request doesn’t include the token header
Check that your theme includes the helper in all relevant forms and that the token is correctly set in AJAX requests.
Disabling CSRF protection
Disabling CSRF protection
If you no longer wish to use CSRF protection, contact theme support and ask them to disable it on your account. Your forms will then function normally again without requiring CSRF tokens.
Developer reference
Developer reference
{{ csrf_field() }}
Returns the full hidden input field containing the CSRF token.
{{ csrf_token() }}
Returns the token string only (useful for meta tags or AJAX headers).
