asper brothers team
12 Dec 2019 17 min to read

Laravel Security – Best Practices To Protect Your Web App

If you’re reading this post, then you’ve likely heard that Laravel is the recommended PHP framework for robust application security. You might wonder, however, what exactly makes Laravel the preferred choice and how far its security options extend. 
  • We will introduce Laravel’s built-in security features. 
  • We will also take a look at Laravel’s security best practices.
  • See the table we prepared to summarize the Laravel security topic – we’d like to leave you with the main takeaways.

Also, how secure is Laravel itself? Which tools and software, if any, should we pair Laravel up with to create a truly bullet-proof, secure environment?
In the following post, we’ll discuss several key components of Laravel security and recommended best practices for Laravel applications.
For starters, let’s discuss some of the key out-of-the-box security features and how they work.

 

Laravel’s built-in security features

CSRF (cross-site request forgery) protection

Laravel uses the Form Classes Token Method (for short, CSRF token), which is enabled by default. You can see the token and a predefined CSRF filter embedded in the source code. 

In the most simple terms, CSRF protection makes sure that each request actually comes for your app, not a potential XSS attack by a third party. If the CSRF filter detects a potentially threatening request, it returns the HTTP 500 error and denies access.

 

Laravel has a lot of security features: protection against XSS and SQL Injections, CSRF protection for forms and many others. Thanks to the “guards” you can even track every single request on your site!

Marcin Rosa, ASPER BROTHERS Developer


Password hashing

Laravel comes with a native hash mechanism based on Bcrypt and Argon2 (the latter of which is comprised of two variants, Argon2i and Argon2id, which you can read more about in Laravel Hashing documentation). 

By using Laravel’s built-in login (LoginController) and register (RegisterController) classes, you enable Bcrypt as the default method for saving user passwords, registration, and for the authentication process. 

There are also other actions you can take to further build upon this out-of-the-box security feature, which we discuss later in this post.

 

Cookies protection

Laravel will also make sure your cookies are bullet-proof, provided that you create and enable an application key (also known as the encryption key). 

Depending on the Laravel version you’re working on, you’ll either need to add the key to the app.php file in the config folder (versions 5 and above) or in your application.php file in the config directory (versions 3 and below). There’s a comprehensive explanation of the differences on the Auth0 blog that you can follow.

 

Encryption

Laravel features an encrypter that leverages the OpenSSL library to provide AES-256 and AES-128 encryption. To make sure that no encrypted data can be modified by an unauthorized party, Laravel signs encrypted values using a Message Authentication Code (MAC). 

To enable this security feature, you must add the “key” option in the config/app.php configuration file, as discussed in detail in official Laravel encryption guidelines.

 

Session management

Laravel’s API allows you to access a whole array of databases and popular drivers, most prominently file (enabled by default in the config/session.php file), cookie, array, apc, Memcached, and Redis. The file driver is applied in Laravel by default as it’s considered a lightweight and versatile option, fitting for many web applications. However, it’s Memcached and Redis that are recommended for bigger production environments, as they boost session performance.

As you can see, a lot of Laravel security work is done upfront – especially if you decide to run with the default options and don’t require much customization (which is the recommended route in areas like encryption).

Now, let’s take a look at some of the best practices to follow if you want to further contribute to your web application security.

 

laravel-best-practices

 

Laravel security – best practices

For starters, let’s take a look at securing cookies.

Cookies protection

When you go to your config directory, Laravel will automatically generate a new application/encryption key for you. However, it is generally advised that you change it into a difficult, randomized password of at least 32 characters for double protection. You want to minimize the possibility of breach as much as possible!

 

Hashing passwords

As discussed above, Laravel comes with a native hash mechanism based on Bcrypt and Argon2. The general rule here worth remembering is that for Laravel, slow hashes = good hashes. Hence, you should make sure not to use weak hashing functions like MD5 and SHA1 (here’s a great explanatory piece that dives into the subject).

 

Validating & filtering all data

Here’s a golden rule– validate everything! Regardless of whether it involves your server, a GET or POST request, or comes via any other route. Laravel comes with a variety of validation rules and instructions on how to create your own safety.

 

Use in-built encryption

As in the case of hashing passwords, Laravel’s in-built encryption is the absolute best way to keep your web application on the safe side. Hence, it is strongly recommended to use the default encryption rather than building your own, where the safety can’t be guaranteed by framework creators.

 

Expiring and destroying HTTP sessions

HTTP sessions store a certain amount of data about the app’s users. Hence, it is absolutely crucial that you destroy sessions after any significant state change to the web app, such as a password or security update. For more information, we recommend that you look into Laravel session management documentation.

 

Other recommendations

Apart from the features discussed above, there are other important security areas beyond the scope of this post, but worth looking into.

These include: 

  • keeping SSL/TLS configurations up to date,
  • limiting Requests to Prevent DDoS attacks, 
  • implementing a Content Security Policy, and
  • application security monitoring. 

Here’s a comprehensive checklist on the Laravel News blog that speaks about these and other security features.

Laravel security summary

As we wrap this post, we’d like to leave you with the main takeaways – refer to this table whenever need be!

Cookies protection

Change automatically generated application/encryption key into a randomized password of at least 32 characters.

Hashing passwords

Use slow hashes; do not use MD5 and SHA1.

Validating & filtering data

Validate all incoming data; use Laravel’s extensive validation rules.

Encryption

Use Laravel’s in-built encryption; it’s not recommended to build your own.

Sessions

Expire and destroy sessions after any significant change.

 

Final thoughts

We hope that this post helped you gain an understanding of Laravel security basics and why it’s this popular among PHP developers. Without doubt, it is an extremely versatile solution that empowers software creators to put security on the forefront of their online presence.

 

Call to action

If there’s any other security feature or Laravel-related subject you’d like to hear about further, let us know in the comments!

Share

SUBSCRIBE our NEWSLETTER

Are you interested in news from the world of software development? Subscribe to our newsletter and receive a list of the most interesting information once a week.

ADD COMMENT

RECOMMENDED posts