Laravel Security Best Practices – Features to Secure PHP Apps

Also, how secure is Laravel itself? If any, which tools and software should we pair Laravel with to create a bullet-proof, secure environment?
In the following post, we’ll discuss several key components of Laravel security and recommended best practices for Laravel applications.
Let’s discuss some of the key out-of-the-box security features and how they work.

Laravel’s built-in Security Features

CSRF (cross-site request forgery) protection

Laravel uses the Form Classes Token Method (for short, CSRF token), which is enabled by default. You can see the token and a predefined CSRF filter embedded in the source code. 

In the most simple terms, CSRF protection makes sure that each request actually comes for your app, not a potential XSS attack by a third party. If the CSRF filter detects a potentially threatening request, it returns the HTTP 500 error and denies access.

Password hashing

Laravel comes with a native hash mechanism based on Bcrypt and Argon2 (the latter of which comprises two variants, Argon2i and Argon2id, which you can read more about in Laravel Hashing documentation). 

Using Laravel’s built-in login (LoginController) and register (RegisterController) classes, you enable Bcrypt as the default method for saving user passwords, registration, and authentication. 

You can also take other actions to build upon this out-of-the-box security feature, which we discuss later in this post.

Cookies protection

Laravel will also ensure your cookies are bullet-proof, provided that you create and enable an application key (also known as the encryption key). 

Depending on the Laravel version you’re working on, you’ll either need to add the key to the app.php file in the config folder (versions 5 and above) or in your application.php file in the config directory (versions 3 and below). There’s a comprehensive explanation of the differences in the Auth0 blog that you can follow.

Encryption

Laravel features an encrypter that leverages the OpenSSL library to provide AES-256 and AES-128 encryption. To ensure that no encrypted data can be modified by an unauthorized party, Laravel signs encrypted values using a Message Authentication Code (MAC). 

To enable this security feature, you must add the “key” option in the config/app.php configuration file, as discussed in detail in official Laravel encryption guidelines.

Session management

Laravel’s API allows you to access a whole array of databases and popular drivers, most prominently file (enabled by default in the config/session.php file), cookie, array, APC, Memcached, and Redis. The file driver is applied in Laravel by default as it’s considered a lightweight and versatile option, fitting for many web applications. However, Memcached and Redis are recommended for wider production environments, as they boost session performance.

As you can see, much Laravel security work is done upfront – especially if you decide to run with the default options and don’t require much customization (which is the recommended route in areas like encryption).

Now, let’s look at some of the best practices to follow if you want to contribute to your web application security further.

Laravel has many built-in features that will increase the security of your application. However, you should know how to use them.

Laravel Security – Best Practices

For starters, let’s take a look at securing cookies.

Cookies protection

When you go to your config directory, Laravel will automatically generate a new application/encryption key for you. However, it is generally advised to change it into a difficult, randomized password of at least 32 characters for double protection. You want to minimize the possibility of the breach as much as possible!

Hashing passwords

As discussed above, Laravel comes with a native hash mechanism based on Bcrypt and Argon2. The general rule is that for Laravel, slow hashes = good hashes. Hence, it would help if you made sure not to use weak hashing functions like MD5 and SHA1 (here’s a great explanatory piece that dives into the subject).

Validating & filtering all data

Here’s a golden rule– validate everything! Whether it involves your server, a GET or POST request, or comes via any other route. Laravel comes with a variety of validation rules and instructions on how to create your own safety.

Use in-built encryption

As in the case of hashing passwords, Laravel’s in-built encryption is the absolute best way to keep your web application on the safe side. Hence, it is strongly recommended to use the default encryption rather than building your own, where framework creators can’t guarantee safety.

Expiring and destroying HTTP sessions

HTTP sessions store a certain amount of data about the app’s users. Hence, it is absolutely crucial that you destroy sessions after any significant state change to the web app, such as a password or security update. For more information, we recommend that you look into Laravel session management documentation.

Other recommendations

Apart from the features discussed above, there are other important security areas beyond this post’s scope but worth looking into.

These include: 

• keeping SSL/TLS configurations up to date,
• limiting Requests to Prevent DDoS attacks, 
• implementing a Content Security Policy, 
• application security monitoring. 

Here’s a comprehensive checklist on the Laravel News blog that speaks about these and other security features.

Laravel security summary

As we wrap this post, we’d like to leave you with the main takeaways – refer to this table whenever need be!

Final thoughts

We hope that this post helped you gain an understanding of Laravel security basics and why it’s this popular among PHP developers. Without a doubt, it is an extremely versatile solution that empowers software creators to put security at the forefront of their online presence.