Updated June 2026. Tested on Laravel 13 and PHP 8.4.

If your Vue front end talks to a Laravel back end with Axios, CSRF is mostly handled for you. It is worth knowing how, so that when it does not work you know where to look. For the general picture, see the main guide on CSRF protection in Laravel. This post is the Vue and Axios specific part.

The automatic path

Laravel sets a cookie named XSRF-TOKEN on responses. Axios is built to look for that exact cookie and, on every request, copy its value into an X-XSRF-TOKEN header. Laravel's CSRF middleware accepts that header. So when your Vue app and your Laravel app are on the same domain, and you are using Axios, the token travels back and forth on its own. You usually write no CSRF code at all.

import axios from 'axios';

// Same domain, session based. Axios reads the XSRF-TOKEN cookie
// and sends X-XSRF-TOKEN for you. Nothing else to do.
axios.post('/profile', { name: 'Jane' });

If you scaffolded with Laravel's starter kits, resources/js/bootstrap.js already imports Axios set up this way.

When you are using Sanctum for an SPA

If your Vue app is a separate single page application authenticating with Sanctum, make one call to prime the cookie before your first stateful request.

await axios.get('/sanctum/csrf-cookie');
await axios.post('/login', { email, password });

That first call sets the XSRF-TOKEN cookie, and Axios sends it back from then on. You also set withCredentials: true so the cookie is included.

The meta tag fallback

If for some reason the cookie path is not available, for example a Blade page that mounts a small Vue widget, fall back to the meta tag and a default header. Put the token in your layout.

<meta name="csrf-token" content="{{ csrf_token() }}">

Then set it once as an Axios default.

axios.defaults.headers.common['X-CSRF-TOKEN'] =
    document.querySelector('meta[name="csrf-token"]').content;

What you do not do

You do not verify the token in your controllers. The VerifyCsrfToken middleware on the web routes checks the header automatically, the same as it does for a normal form. Your job is only to make sure the token reaches Laravel, which Axios mostly does for you.

So the short version: same domain plus Axios means CSRF just works, Sanctum SPAs need one csrf-cookie call first, and the meta tag is there as a fallback. Questions welcome in the comments.