Skill

laravel-security

Guides Laravel security best practices for authn/authz, validation, CSRF/mass assignment protection, file uploads, secrets, rate limiting, session hardening, and secure deployments.

Php

Laravel

security

backend

Install

npx claudepluginhub ncmfn/claudecode

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

166.1k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

166.1k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

166.1k

Stats

Stars0

Forks0

Last CommitMar 16, 2026

Used By34 plugins

Actions

View Source View Plugin View on GitHub View README

Laravel Security Best Practices

Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.

When to Activate

Adding authentication or authorization
Handling user input and file uploads
Building new API endpoints
Managing secrets and environment settings
Hardening production deployments

How It Works

Middleware provides baseline protections (CSRF via VerifyCsrfToken, security headers via SecurityHeaders).
Guards and policies enforce access control (auth:sanctum, $this->authorize, policy middleware).
Form Requests validate and shape input (UploadInvoiceRequest) before it reaches services.
Rate limiting adds abuse protection (RateLimiter::for('login')) alongside auth controls.
Data safety comes from encrypted casts, mass-assignment guards, and signed routes (URL::temporarySignedRoute + signed middleware).

Core Security Settings

APP_DEBUG=false in production
APP_KEY must be set and rotated on compromise
Set SESSION_SECURE_COOKIE=true and SESSION_SAME_SITE=lax (or strict for sensitive apps)
Configure trusted proxies for correct HTTPS detection

Session and Cookie Hardening

Set SESSION_HTTP_ONLY=true to prevent JavaScript access
Use SESSION_SAME_SITE=strict for high-risk flows
Regenerate sessions on login and privilege changes

Authentication and Tokens

Use Laravel Sanctum or Passport for API auth
Prefer short-lived tokens with refresh flows for sensitive data
Revoke tokens on logout and compromised accounts

Example route protection:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->get('/me', function (Request $request) {
    return $request->user();
});

Password Security

Hash passwords with Hash::make() and never store plaintext
Use Laravel's password broker for reset flows

use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\Rules\Password;

$validated = $request->validate([
    'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()],
]);

$user->update(['password' => Hash::make($validated['password'])]);

Authorization: Policies and Gates

Use policies for model-level authorization
Enforce authorization in controllers and services

$this->authorize('update', $project);

Use policy middleware for route-level enforcement:

use Illuminate\Support\Facades\Route;

Route::put('/projects/{project}', [ProjectController::class, 'update'])
    ->middleware(['auth:sanctum', 'can:update,project']);

Validation and Data Sanitization

Always validate inputs with Form Requests
Use strict validation rules and type checks
Never trust request payloads for derived fields

Mass Assignment Protection

Use $fillable or $guarded and avoid Model::unguard()
Prefer DTOs or explicit attribute mapping

SQL Injection Prevention

Use Eloquent or query builder parameter binding
Avoid raw SQL unless strictly necessary

DB::select('select * from users where email = ?', [$email]);

XSS Prevention

Blade escapes output by default ({{ }})
Use {!! !!} only for trusted, sanitized HTML
Sanitize rich text with a dedicated library

CSRF Protection

Keep VerifyCsrfToken middleware enabled
Include @csrf in forms and send XSRF tokens for SPA requests

For SPA authentication with Sanctum, ensure stateful requests are configured:

// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),

File Upload Safety

Validate file size, MIME type, and extension
Store uploads outside the public path when possible
Scan files for malware if required

final class UploadInvoiceRequest extends FormRequest
{
    public function authorize(): bool
    {
        return (bool) $this->user()?->can('upload-invoice');
    }

    public function rules(): array
    {
        return [
            'invoice' => ['required', 'file', 'mimes:pdf', 'max:5120'],
        ];
    }
}

$path = $request->file('invoice')->store(
    'invoices',
    config('filesystems.private_disk', 'local') // set this to a non-public disk
);

Rate Limiting

Apply throttle middleware on auth and write endpoints
Use stricter limits for login, password reset, and OTP

use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('login', function (Request $request) {
    return [
        Limit::perMinute(5)->by($request->ip()),
        Limit::perMinute(5)->by(strtolower((string) $request->input('email'))),
    ];
});

Secrets and Credentials

Never commit secrets to source control
Use environment variables and secret managers
Rotate keys after exposure and invalidate sessions

Encrypted Attributes

Use encrypted casts for sensitive columns at rest.

protected $casts = [
    'api_token' => 'encrypted',
];

Security Headers

Add CSP, HSTS, and frame protection where appropriate
Use trusted proxy configuration to enforce HTTPS redirects

Example middleware to set headers:

use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

final class SecurityHeaders
{
    public function handle(Request $request, \Closure $next): Response
    {
        $response = $next($request);

        $response->headers->add([
            'Content-Security-Policy' => "default-src 'self'",
            'Strict-Transport-Security' => 'max-age=31536000', // add includeSubDomains/preload only when all subdomains are HTTPS
            'X-Frame-Options' => 'DENY',
            'X-Content-Type-Options' => 'nosniff',
            'Referrer-Policy' => 'no-referrer',
        ]);

        return $response;
    }
}

CORS and API Exposure

Restrict origins in config/cors.php
Avoid wildcard origins for authenticated routes

// config/cors.php
return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],
    'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
    'allowed_origins' => ['https://app.example.com'],
    'allowed_headers' => [
        'Content-Type',
        'Authorization',
        'X-Requested-With',
        'X-XSRF-TOKEN',
        'X-CSRF-TOKEN',
    ],
    'supports_credentials' => true,
];

Logging and PII

Never log passwords, tokens, or full card data
Redact sensitive fields in structured logs

use Illuminate\Support\Facades\Log;

Log::info('User updated profile', [
    'user_id' => $user->id,
    'email' => '[REDACTED]',
    'token' => '[REDACTED]',
]);

Dependency Security

Run composer audit regularly
Pin dependencies with care and update promptly on CVEs

Signed URLs

Use signed routes for temporary, tamper-proof links.

use Illuminate\Support\Facades\URL;

$url = URL::temporarySignedRoute(
    'downloads.invoice',
    now()->addMinutes(15),
    ['invoice' => $invoice->id]
);

use Illuminate\Support\Facades\Route;

Route::get('/invoices/{invoice}/download', [InvoiceController::class, 'download'])
    ->name('downloads.invoice')
    ->middleware('signed');