419 Page Expired

The HTTP 419 Page Expired status code is an unofficial client error specific to the Laravel PHP Framework, returned by the server to indicate Cross-Site Request Forgery (CSRF) validation has failed.

Table of Contents

Usage

The 419 Page Expired error created by the Laravel PHP Framework is received when CSRF validation fails. This implies CSRF protection is turned on, and Laravel enables CSRF protection by default for all POST, PUT, PATCH, and DELETE requests.

SEO impact

Search engines like Google will not index a URL with a 419 response status. URLs previously indexed will be removed from search results.

Example

The client attempts to send a file and the server responds with 419 Page Expired to indicate CSRF validation failed.

Request

PUT / HTTP/1.1
Host: www.example.re
Content-Type: application/pdf
Content-Length: 10000

<PDF file is transferred>

Response

HTTP/1.1 419 Page Expired
Content-Type: text/html
Content-Length: 146

<html>
  <head>
    <title>Page Expired</title>
  </head>
  <body>
   <p>The session has expired. Refresh and try again.
   </p>
  </body>
</html>

How to fix

Missing CSRF token in forms. Every form submitting POST, PUT, PATCH, or DELETE requests needs the @csrf Blade directive. This generates a hidden input field containing the CSRF token. Without the directive, Laravel rejects the request with 419.

Expired session. The CSRF token is tied to the user session. When the session expires, the token becomes invalid. Refreshing the page generates a fresh session and token. Extend the session lifetime in config/session.php by increasing the lifetime value (in minutes) when users need longer form submission windows.

AJAX and API requests. Include the token as an X-CSRF-TOKEN header. The common pattern adds a meta tag <meta name="csrf-token"> to the page layout, then reads the value in JavaScript. For cookie-based sessions with JavaScript frameworks, Laravel sets an XSRF-TOKEN cookie. Axios and similar libraries read this cookie and send the X-XSRF-TOKEN header automatically.

Session storage issues. When using the file session driver, verify the storage/framework/sessions directory exists and the web server process has write permissions. Run chmod -R 755 storage to fix permission issues. For database or redis drivers, confirm the connection is stable and the sessions table or Redis instance is accessible.

Multi-domain and load balancer setups. The session cookie domain and the SESSION_DOMAIN environment variable must match the application domain. Behind a load balancer, sticky sessions or a shared session store (database or Redis) prevent requests from hitting a different server with no knowledge of the original session.

API-only routes. Routes handling stateless API traffic do not need CSRF protection. Move API routes into the api middleware group, which excludes the VerifyCsrfToken middleware by default. Exclude specific routes from CSRF checks by adding them to the $except array in the VerifyCsrfToken middleware class.

Takeaway

The 419 Page Expired status code is a Laravel-specific client error sent to indicate CSRF validation has failed.

See also

Last updated: March 11, 2026