Yuka さん
Persistent 419 CSRF Error on Livewire File Uploads behind Cloudflare Tunnel
Hey everyone,
I'm running into a frustrating
419 CSRF token mismatch error, but only when uploading files via Livewire components. Regular Livewire component updates (POST requests to /livewire/update) work perfectly fine.
The Problem:
* When a user tries to upload a file using a Filament/Livewire FileUpload component, the POST request to https://sub.domain.com/livewire/upload-file?... fails with a 419 error.
* Looking at the network response for the 419, the server is trying to Set-Cookie for a new session, indicating it didn't recognize the original session for that specific upload request.
* The X-CSRF-TOKEN header is being correctly sent with the failing upload request (matching the token from the initial page load meta tag).
* Regular Livewire actions/updates on the same page work without any CSRF issues.
What I've Tried So Far:
1. Trusted Proxies: Configured using monicahq/laravel-cloudflare and replaced the default TrustProxies in bootstrap/app.php as per their docs.
2. .env Configuration:
* APP_URL={The Domain From Cloudflared}
* SESSION_DOMAIN=.domain.com (also tried null and sub.domain.com)
* SESSION_SECURE_COOKIE=true
3. config/session.php: Checked same_site (currently 'lax', also tried 'none' with secure=true). http_only is true.
4. Livewire Upload Middleware: Tried adding 'web' and just StartSession::class to temporary_file_upload.middleware in config/livewire.php. No change.
My Suspicion:
Has anyone encountered a similar issue with Livewire file uploads behind Cloudflare Tunnels or other reverse proxies where only the upload route loses the session? Any ideas on what else to check (specific Cloudflare settings, Livewire internals, PHP session handling nuances)?4 replies