What is the XSRF-TOKEN Cookie?
Set by Laravel (Laravel (Illuminate)). Expires after Session.
Purpose
Contains a CSRF token used to verify that authenticated requests originate from the application. Prevents cross-site request forgery attacks.
Sent automatically in the X-XSRF-TOKEN header by Axios and the Fetch API. No consent required — purely a security mechanism.
Cookie Details
| Cookie Name | XSRF-TOKEN |
| Service | Laravel |
| Provider | Laravel (Illuminate) |
| Category | Strictly Necessary |
| Duration | Session |
| Consent Required | No — strictly necessary |
Category: Strictly Necessary
Strictly necessary cookies are essential for the website to function and cannot be switched off. They are set only in response to actions made by you — such as logging in or filling forms. No consent is required.
GDPR Requirements
The XSRF-TOKEN cookie is strictly necessary and does not require user consent under GDPR and the ePrivacy Directive. It may be set when the user first visits your site.
However, you must still disclose this cookie in your cookie policy, explaining what it does and why it is necessary.
How to Handle This Cookie
- It can load freely — no need to block Laravel behind a consent gate for this specific cookie.
- Disclose it — list it in your cookie policy explaining it is strictly necessary for laravel functionality.
- Don't add a checkbox for it — strictly necessary cookies should not be listed as toggleable in your consent UI.
Other Laravel Cookies
| Cookie | Category | Duration |
|---|---|---|
| laravel_session | Strictly Necessary | Session |
| remember_web_* | Functional | 30 days |
Is this cookie on your website?
Scan your website to see every cookie it sets, whether they're blocked before consent, and get a full GDPR compliance report.
Scan your website free →