unknown

A debugging story about tracking down 419 CSRF errors in a Laravel Livewire application. The root cause was four spaces before the <?php tag in routes/web.php, which sent output before headers and prevented session cookies from being set. The issue only appeared with Herd (nginx + PHP-FPM) because output buffering was disabled, while php artisan serve masked the problem by buffering output by default.

Four Spaces Before <?php

Welcome to PHP Dev, a dedicated space for sharing knowledge about PHP and its ecosystem (only PHP directly related).
Help us find good articles and blogposts and provide links. Upvote or downvote, after reading, it's essential

PHP Dev

It’s always the dumbest stuff that has us stumped the longest.

In this day and age I wonder why in 2026 we still need to write the opening tag, when we have great template engines.
We should be able to write php without the tag but the engine should throw an error if it is omitted in a file mixing html and php (or any other combinations), so that it still works for WP.

Because of such behavior I was failing with php a lot on 2003 (there was no debugging tools like now in browser and all you had is your attention and intuition)
However “embeddable” scripts across file which supposed to go to stdio - was the core idea of PHP and reason why it was loved

Such an interesting case, you did a great job finding the cause. Thanks for sharing.

Good point, I hope PHP becomes more optimized. It’s already important, but its syntax needs improvement.