HTTPERRORNotable4xx Client Error (Unofficial)HIGH confidence

Page Expired

Q: How to fix HTTP 419 Page Expired?

Include the CSRF token in every form: The @csrf Blade directive emits a hidden _token input with the current session's CSRF token.

Q: How to fix HTTP 419 Page Expired?

Include X-CSRF-TOKEN header in AJAX requests: Laravel's VerifyCsrfToken middleware accepts the token in the header as well as the form body.

Production Risk

Medium — frequent 419 errors indicate a UX problem (session timeout) or a misconfigured load balancer stripping CSRF tokens.

What this means

419 Page Expired is used by the Laravel PHP framework to indicate that the CSRF (Cross-Site Request Forgery) token included in a form submission is missing, expired, or invalid. Laravel returns this status when the token cannot be verified, preventing CSRF attacks.

Why it happens

1The CSRF token in the form has expired (session timed out while the user had the page open).
2The user opened the form in multiple tabs and submitted from an older tab whose token is no longer valid.
3The _token field was stripped by a middleware, load balancer, or caching layer.
4The form was submitted via AJAX without including the X-CSRF-TOKEN header.
5The session cookie was not sent due to SameSite or domain misconfiguration.

How to reproduce

A user fills in a long web form, leaves the tab idle for 30+ minutes, then submits — the CSRF token has expired with their session.

trigger — this will error

POST /contact HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

name=Alice&message=Hello
# Missing: _token=<csrf_token>

expected output

HTTP/1.1 419 Page Expired

Fix 1

Include the CSRF token in every form

WHEN Building HTML forms in Laravel.

Include the CSRF token in every form

<form method="POST" action="/contact">
    @csrf
    <!-- form fields -->
</form>

Why this works

The @csrf Blade directive emits a hidden _token input with the current session's CSRF token.

Fix 2

Include X-CSRF-TOKEN header in AJAX requests

WHEN Making AJAX POST/PUT/DELETE requests in Laravel.

Include X-CSRF-TOKEN header in AJAX requests

// Add to your axios setup
axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector('meta[name="csrf-token"]').content;

Why this works

Laravel's VerifyCsrfToken middleware accepts the token in the header as well as the form body.

Fix 3

Extend session lifetime for long forms

WHEN Users are frequently hitting 419 due to session timeout.

Extend session lifetime for long forms

// config/session.php
'lifetime' => 240, // minutes

Why this works

Increases session lifetime so tokens remain valid longer.

What not to do

✕ Do not disable CSRF protection entirely

This opens your application to cross-site request forgery attacks.

Version notes

Laravel 5+

CSRF protection is enabled by default via the VerifyCsrfToken middleware. 419 is returned instead of a generic 500 to help developers identify token issues.

Sources

Official documentation ↗

Laravel CSRF Protection documentation

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#419 ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformHTTP Status Codes

Code419

Class4xx Client Error (Unofficial)

SeverityERROR

TierNotable

ConfidenceHIGH

← All HTTP errors