F
Filament2d ago
Yuka さん

Persistent 419 CSRF Error on Livewire File Uploads behind Cloudflare Tunnel

Hey everyone, I'm running into a frustrating 419 CSRF token mismatch error, but only when uploading files via Livewire components. Regular Livewire component updates (POST requests to /livewire/update) work perfectly fine. The Problem: * When a user tries to upload a file using a Filament/Livewire FileUpload component, the POST request to https://sub.domain.com/livewire/upload-file?... fails with a 419 error. * Looking at the network response for the 419, the server is trying to Set-Cookie for a new session, indicating it didn't recognize the original session for that specific upload request. * The X-CSRF-TOKEN header is being correctly sent with the failing upload request (matching the token from the initial page load meta tag). * Regular Livewire actions/updates on the same page work without any CSRF issues. What I've Tried So Far: 1. Trusted Proxies: Configured using monicahq/laravel-cloudflare and replaced the default TrustProxies in bootstrap/app.php as per their docs. 2. .env Configuration: * APP_URL={The Domain From Cloudflared} * SESSION_DOMAIN=.domain.com (also tried null and sub.domain.com) * SESSION_SECURE_COOKIE=true 3. config/session.php: Checked same_site (currently 'lax', also tried 'none' with secure=true). http_only is true. 4. Livewire Upload Middleware: Tried adding 'web' and just StartSession::class to temporary_file_upload.middleware in config/livewire.php. No change. My Suspicion: Has anyone encountered a similar issue with Livewire file uploads behind Cloudflare Tunnels or other reverse proxies where only the upload route loses the session? Any ideas on what else to check (specific Cloudflare settings, Livewire internals, PHP session handling nuances)?
1 Reply
Mohamed Ayaou
Mohamed Ayaou2d ago
Happened to many people already in previous posts in this channel, the only solution worked for me (and suggested by a filament team member) is to disabled CSRF checking for livewire. in your bootstrap/app.php: 
->withMiddleware(function (Middleware $middleware) {
        $middleware->validateCsrfTokens(except: [
            'livewire/*', // for fixing 419 code error
             // ...
->withMiddleware(function (Middleware $middleware) {
        $middleware->validateCsrfTokens(except: [
            'livewire/*', // for fixing 419 code error
             // ...
Not the best solution but remember that the error might have different reasons just check the old posts in this channel related to 419 errors

Did you find this page helpful?