Laravel Security

1---2name: laravel-security3description: Laravel security best practices for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment.4origin: ECC5---6 7# Laravel Security Best Practices8 9Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.10 11## When to Activate12 13- Adding authentication or authorization14- Handling user input and file uploads15- Building new API endpoints16- Managing secrets and environment settings17- Hardening production deployments18 19## How It Works20 21- Middleware provides baseline protections (CSRF via `VerifyCsrfToken`, security headers via `SecurityHeaders`).22- Guards and policies enforce access control (`auth:sanctum`, `$this->authorize`, policy middleware).23- Form Requests validate and shape input (`UploadInvoiceRequest`) before it reaches services.24- Rate limiting adds abuse protection (`RateLimiter::for('login')`) alongside auth controls.25- Data safety comes from encrypted casts, mass-assignment guards, and signed routes (`URL::temporarySignedRoute` + `signed` middleware).26 27## Core Security Settings28 29- `APP_DEBUG=false` in production30- `APP_KEY` must be set and rotated on compromise31- Set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax` (or `strict` for sensitive apps)32- Configure trusted proxies for correct HTTPS detection33 34## Session and Cookie Hardening35 36- Set `SESSION_HTTP_ONLY=true` to prevent JavaScript access37- Use `SESSION_SAME_SITE=strict` for high-risk flows38- Regenerate sessions on login and privilege changes39 40## Authentication and Tokens41 42- Use Laravel Sanctum or Passport for API auth43- Prefer short-lived tokens with refresh flows for sensitive data44- Revoke tokens on logout and compromised accounts45 46Example route protection:47 48```php49use Illuminate\Http\Request;50use Illuminate\Support\Facades\Route;51 52Route::middleware('auth:sanctum')->get('/me', function (Request $request) {53    return $request->user();54});55```56 57## Password Security58 59- Hash passwords with `Hash::make()` and never store plaintext60- Use Laravel's password broker for reset flows61 62```php63use Illuminate\Support\Facades\Hash;64use Illuminate\Validation\Rules\Password;65 66$validated = $request->validate([67    'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()],68]);69 70$user->update(['password' => Hash::make($validated['password'])]);71```72 73## Authorization: Policies and Gates74 75- Use policies for model-level authorization76- Enforce authorization in controllers and services77 78```php79$this->authorize('update', $project);80```81 82Use policy middleware for route-level enforcement:83 84```php85use Illuminate\Support\Facades\Route;86 87Route::put('/projects/{project}', [ProjectController::class, 'update'])88    ->middleware(['auth:sanctum', 'can:update,project']);89```90 91## Validation and Data Sanitization92 93- Always validate inputs with Form Requests94- Use strict validation rules and type checks95- Never trust request payloads for derived fields96 97## Mass Assignment Protection98 99- Use `$fillable` or `$guarded` and avoid `Model::unguard()`100- Prefer DTOs or explicit attribute mapping101 102## SQL Injection Prevention103 104- Use Eloquent or query builder parameter binding105- Avoid raw SQL unless strictly necessary106 107```php108DB::select('select * from users where email = ?', [$email]);109```110 111## XSS Prevention112 113- Blade escapes output by default (`{{ }}`)114- Use `{!! !!}` only for trusted, sanitized HTML115- Sanitize rich text with a dedicated library116 117## CSRF Protection118 119- Keep `VerifyCsrfToken` middleware enabled120- Include `@csrf` in forms and send XSRF tokens for SPA requests121 122For SPA authentication with Sanctum, ensure stateful requests are configured:123 124```php125// config/sanctum.php126'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),127```128 129## File Upload Safety130 131- Validate file size, MIME type, and extension132- Store uploads outside the public path when possible133- Scan files for malware if required134 135```php136final class UploadInvoiceRequest extends FormRequest137{138    public function authorize(): bool139    {140        return (bool) $this->user()?->can('upload-invoice');141    }142 143    public function rules(): array144    {145        return [146            'invoice' => ['required', 'file', 'mimes:pdf', 'max:5120'],147        ];148    }149}150```151 152```php153$path = $request->file('invoice')->store(154    'invoices',155    config('filesystems.private_disk', 'local') // set this to a non-public disk156);157```158 159## Rate Limiting160 161- Apply `throttle` middleware on auth and write endpoints162- Use stricter limits for login, password reset, and OTP163 164```php165use Illuminate\Cache\RateLimiting\Limit;166use Illuminate\Http\Request;167use Illuminate\Support\Facades\RateLimiter;168 169RateLimiter::for('login', function (Request $request) {170    return [171        Limit::perMinute(5)->by($request->ip()),172        Limit::perMinute(5)->by(strtolower((string) $request->input('email'))),173    ];174});175```176 177## Secrets and Credentials178 179- Never commit secrets to source control180- Use environment variables and secret managers181- Rotate keys after exposure and invalidate sessions182 183## Encrypted Attributes184 185Use encrypted casts for sensitive columns at rest.186 187```php188protected $casts = [189    'api_token' => 'encrypted',190];191```192 193## Security Headers194 195- Add CSP, HSTS, and frame protection where appropriate196- Use trusted proxy configuration to enforce HTTPS redirects197 198Example middleware to set headers:199 200```php201use Illuminate\Http\Request;202use Symfony\Component\HttpFoundation\Response;203 204final class SecurityHeaders205{206    public function handle(Request $request, \Closure $next): Response207    {208        $response = $next($request);209 210        $response->headers->add([211            'Content-Security-Policy' => "default-src 'self'",212            'Strict-Transport-Security' => 'max-age=31536000', // add includeSubDomains/preload only when all subdomains are HTTPS213            'X-Frame-Options' => 'DENY',214            'X-Content-Type-Options' => 'nosniff',215            'Referrer-Policy' => 'no-referrer',216        ]);217 218        return $response;219    }220}221```222 223## CORS and API Exposure224 225- Restrict origins in `config/cors.php`226- Avoid wildcard origins for authenticated routes227 228```php229// config/cors.php230return [231    'paths' => ['api/*', 'sanctum/csrf-cookie'],232    'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],233    'allowed_origins' => ['https://app.example.com'],234    'allowed_headers' => [235        'Content-Type',236        'Authorization',237        'X-Requested-With',238        'X-XSRF-TOKEN',239        'X-CSRF-TOKEN',240    ],241    'supports_credentials' => true,242];243```244 245## Logging and PII246 247- Never log passwords, tokens, or full card data248- Redact sensitive fields in structured logs249 250```php251use Illuminate\Support\Facades\Log;252 253Log::info('User updated profile', [254    'user_id' => $user->id,255    'email' => '[REDACTED]',256    'token' => '[REDACTED]',257]);258```259 260## Dependency Security261 262- Run `composer audit` regularly263- Pin dependencies with care and update promptly on CVEs264 265## Signed URLs266 267Use signed routes for temporary, tamper-proof links.268 269```php270use Illuminate\Support\Facades\URL;271 272$url = URL::temporarySignedRoute(273    'downloads.invoice',274    now()->addMinutes(15),275    ['invoice' => $invoice->id]276);277```278 279```php280use Illuminate\Support\Facades\Route;281 282Route::get('/invoices/{invoice}/download', [InvoiceController::class, 'download'])283    ->name('downloads.invoice')284    ->middleware('signed');285```