Laravel is one of the most popular PHP frameworks used for developing web applications. With its expressive and elegant syntax, robust set of features, and emphasis on clean code, Laravel makes it easy and enjoyable to build secure web apps.
However, like any powerful tool, Laravel can also be misused or poorly configured, leading to security vulnerabilities. As a developer, it is your responsibility to follow security best practices when building Laravel applications. In this post, we will explore some key security recommendations when using Laravel 10.
Use Encryption for Sensitive Data
Any sensitive user data, such as passwords, credit card numbers, social security numbers etc. should be encrypted before storing in the database. Laravel makes encryption and decryption very easy with the Encryption library. Here is an example:
<?php
namespace App\Http\Controllers;
use Illuminate\Support\Facades\Crypt;
class UserController extends Controller
{
public function storeUser($request)
{
$password = Crypt::encrypt($request->input('password'));
// Store $password in the DB
}
}
The encrypted data is secured with AES-256-CBC encryption that uses a randomly generated key. This prevents access to the underlying value even if the encrypted string is obtained by an attacker.
You can also encrypt entire files containing sensitive information, like API keys and credentials.
Use Laravel's Authentication System
Laravel ships with a robust authentication and authorization system out-of-the-box powered by guards and providers. It handles user registration, logging in, sessions, etc.
You should leverage Laravel’s built-in authentication instead of reinventing the wheel and creating your custom solution. It will save you time and effort while being more secure.
For example, you can use Laravel Breeze or Jetstream to scaffold your entire authentication system in minutes.
Hash Your Passwords
Never store plain text passwords in your database. The Laravel hash helper lets you hash passwords easily before storing them.
<?php
use Illuminate\Support\Facades\Hash;
$password = Hash::make('plain-text-password');
// Store $password in database
This password cannot be decrypted. Laravel’s LoginController compares the hash against the hash from the database to verify the user.
You can also use the Password Facade that combines hashing with auto-verification.
Use Parametized Queries
SQL injections are one of the biggest threats facing web apps. Using raw user input in queries allows attackers to inject malicious SQL and steal, corrupt or destroy your data.
Laravel escapes all bindings to queries by default to prevent SQL injection attacks. Make use of parametized queries or Eloquent models instead of writing raw SQL queries.
Bad:
$username = $request->input('username');
DB::select("SELECT * FROM users WHERE username = '$username'");
Good:
$username = $request->input('username');
DB::select("SELECT * FROM users WHERE username = ?", [$username]);
If using Eloquent models:
User::where('username', $username)->first();
This ensures all values are properly escaped preventing SQL injections.
Use Mass Assignment Protection
When accepting user input to populate a model, you could be exposed to mass assignment vulnerabilities. This allows attackers to modify model attributes you did not intend to be modified.
Fortunately, Eloquent models have a `$guarded` property that blacklists certain attributes. The opposite `$fillable` property whitelists approved fields.
For example:
class User extends Model
{
protected $guarded = ['id', 'is_admin'];
}
Now the id and is_admin fields cannot be mass assigned.
Take Advantage of Authorization
Laravel comes with authorization services via gates and policies that determine if a user has access to certain data or routes.
For example, you can ensure an admin user can only access admin routes:
public function update(Request $request, Post $post)
{
$this->authorize('update', $post);
// The current user can update the post...
}
Use Laravel authorization features to implement permissions and restrictions instead of putting arbitrary checks across your app.
Use CSRF Protection
Cross site request forgery (CSRF) refers to attacks that transmit unauthorized commands to your app by hijacking user sessions.
Thankfully Laravel can protect all your routes from CSRF attacks automatically. CSRF protection is enabled by default in new Laravel projects.
Just use the `@csrf` Blade directive within your HTML forms:
<form method="POST" action="/profile">
@csrf
...
</form>
This will attach a CSRF token to your form requests transparently, blocking CSRF exploits.
Avoid Direct File Uploads
Allowing users to upload files directly to your server's filesystem can expose sensitive information if not handled properly.
Instead of handling raw file uploads yourself, it's safer to use Laravel's Filesystem library with cloud storage like S3 or Digital Ocean Spaces to manage files uploaded by users.
Besides taking care of uploading, it also streamlines serving these user-generated assets back through a CDN for performance.
Logging & Monitoring
Having proper logs and alerts ensures you detect attacks or suspicious activity when they occur.
Laravel provides detailed request logging out of the box. You should also integrate application monitoring software like Sentry into your app to track errors and exceptions.
Regularly review your logs for signs of potential vulnerabilities or unsuccessful exploitation attempts. Having the audit trail to understand what went wrong greatly aids timely response.
TLS Encryption
It is vital to serve your Laravel app over HTTPS encrypted with TLS (successor to SSL), instead of plain HTTP. This prevents man-in-the-middle attacks where an attacker eavesdrops on requests between your app and users.
Thankfully most shared/cloud hosting providers offer a simple 1-click install of free SSL certificates from Let’s Encrypt. There is no excuse not to enable this baseline level encryption for all traffic including your admin interfaces and APIs.
If dealing with highly sensitive data, consider investing in premium certificates (EV/OV) that also authenticate legal identity for reassuring visitors.
Avoid Publishing Secret Keys
Most Laravel apps have an auto-generated secret key stored in the `.env` file that is used to encrypt session data and API tokens.
Make sure you never expose these confidential keys publicly, such as committing `.env` to your repository, exposing it via Laravel debug pages etc.
Restrict access to these credentials only to your servers/deployments intended to use it. Rotate compromised keys immediately if they leak accidentally.
No Weak Passwords
Enforce a strong password policy for all user accounts in your system without exceptions - admins and internal users included.
Passwords should expire every 90 days forcing periodic rotations. Additionally, consider implementing multi-factor authentication (MFA) for an added layer of security particularly for admins.
Use libraries like Laravel Password Strength Validation to prevent weak passwords that are easy to crack via brute force.
Follow Coding Best Practices
Adopt secure coding best practices during Laravel development - use latest PHP version, avoid dangerous functions like `eval()` etc., protect against cross-site scripting (XSS) and code injection vulnerabilities, employ tight access controls, develop with security in mind from start instead of bolting on later.
Foster a quality-focused development culture with code reviews, testing, documented procedures and access controls to minimize risk of errors or oversight. Restrict access only to intended functionality/data necessary for each user to do their job.
Regular Patching & Upgrades
Running outdated software is one of the major security pitfalls many apps fall into over time without realizing. It is critical you apply security patches promptly and update to latest Laravel version at the earliest opportunity.
Hackers exploit known old vulnerabilities assuming targets failed to upgrade. Laravel releases fixes for reported issues so staying current stops you being low hanging fruit. Have a plan to upgrade your projects before support runs out for your current Laravel version.
Conclusion
Securing Laravel applications goes hand in hand with following security best practices in general. Laravel has many built-in tools and guidance to implement app security fundamentals with ease.
However it is ultimately your responsibility as the developer to leverage them appropriately for your use case. Strike a balance between features, usability and security oriented restrictions keeping threat models in mind. Restrict danger only to what is absolutely necessary.
What practices do you follow to secure your Laravel apps? Share your tips and advice via the comments!