WordPress is one of the most popular platforms for creating and managing websites and ecommerces out there. It’s no wonder...
Laravel Security Best Practices – Features to Secure PHP Apps
- We will introduce Laravel’s built-in security features.
- We will also take a look at Laravel’s security best practices.
- See the table we prepared to summarize the Laravel security topic – we’d like to leave you with the main takeaways.
Also, how secure is Laravel itself? Which tools and software, if any, should we pair Laravel up with to create a truly bullet-proof, secure environment?
In the following post, we’ll discuss several key components of Laravel security and recommended best practices for Laravel applications.
For starters, let’s discuss some of the key out-of-the-box security features and how they work.
Laravel’s built-in Security Features
CSRF (cross-site request forgery) protection
Laravel uses the Form Classes Token Method (for short, CSRF token), which is enabled by default. You can see the token and a predefined CSRF filter embedded in the source code.
In the most simple terms, CSRF protection makes sure that each request actually comes for your app, not a potential XSS attack by a third party. If the CSRF filter detects a potentially threatening request, it returns the HTTP 500 error and denies access.
Laravel has a lot of security features: protection against XSS and SQL Injection, CSRF protection for forms and many others. Thanks to the “guards” you can even track every single request on your site! Marcin Rosa, ASPER BROTHERS Developer
Laravel has a lot of security features: protection against XSS and SQL Injection, CSRF protection for forms and many others. Thanks to the “guards” you can even track every single request on your site!
Marcin Rosa, ASPER BROTHERS Developer
Laravel comes with a native hash mechanism based on Bcrypt and Argon2 (the latter of which is comprised of two variants, Argon2i and Argon2id, which you can read more about in Laravel Hashing documentation).
By using Laravel’s built-in login (LoginController) and register (RegisterController) classes, you enable Bcrypt as the default method for saving user passwords, registration, and for the authentication process.
There are also other actions you can take to further build upon this out-of-the-box security feature, which we discuss later in this post.
Laravel will also make sure your cookies are bullet-proof, provided that you create and enable an application key (also known as the encryption key).
Depending on the Laravel version you’re working on, you’ll either need to add the key to the app.php file in the config folder (versions 5 and above) or in your application.php file in the config directory (versions 3 and below). There’s a comprehensive explanation of the differences in the Auth0 blog that you can follow.
Laravel features an encrypter that leverages the OpenSSL library to provide AES-256 and AES-128 encryption. To make sure that no encrypted data can be modified by an unauthorized party, Laravel signs encrypted values using a Message Authentication Code (MAC).
To enable this security feature, you must add the “key” option in the config/app.php configuration file, as discussed in detail in official Laravel encryption guidelines.
Laravel’s API allows you to access a whole array of databases and popular drivers, most prominently file (enabled by default in the config/session.php file), cookie, array, APC, Memcached, and Redis. The file driver is applied in Laravel by default as it’s considered a lightweight and versatile option, fitting for many web applications. However, it’s Memcached and Redis that are recommended for bigger production environments, as they boost session performance.
As you can see, a lot of Laravel security work is done upfront – especially if you decide to run with the default options and don’t require much customization (which is the recommended route in areas like encryption).
Now, let’s take a look at some of the best practices to follow if you want to further contribute to your web application security.
Laravel Security – Best Practices
For starters, let’s take a look at securing cookies.
When you go to your config directory, Laravel will automatically generate a new application/encryption key for you. However, it is generally advised that you change it into a difficult, randomized password of at least 32 characters for double protection. You want to minimize the possibility of the breach as much as possible!
As discussed above, Laravel comes with a native hash mechanism based on Bcrypt and Argon2. The general rule here worth remembering is that for Laravel, slow hashes = good hashes. Hence, you should make sure not to use weak hashing functions like MD5 and SHA1 (here’s a great explanatory piece that dives into the subject).
Validating & filtering all data
Here’s a golden rule– validate everything! Regardless of whether it involves your server, a GET or POST request, or comes via any other route. Laravel comes with a variety of validation rules and instructions on how to create your own safety.
Use in-built encryption
As in the case of hashing passwords, Laravel’s in-built encryption is the absolute best way to keep your web application on the safe side. Hence, it is strongly recommended to use the default encryption rather than building your own, where the safety can’t be guaranteed by framework creators.
Expiring and destroying HTTP sessions
HTTP sessions store a certain amount of data about the app’s users. Hence, it is absolutely crucial that you destroy sessions after any significant state change to the web app, such as a password or security update. For more information, we recommend that you look into Laravel session management documentation.
Apart from the features discussed above, there are other important security areas beyond the scope of this post, but worth looking into.
- keeping SSL/TLS configurations up to date,
- limiting Requests to Prevent DDoS attacks,
- implementing a Content Security Policy, and
- application security monitoring.
Here’s a comprehensive checklist on the Laravel News blog that speaks about these and other security features.
Laravel security summary
As we wrap this post, we’d like to leave you with the main takeaways – refer to this table whenever need be!
Change automatically generated application/encryption key into a randomized password of at least 32 characters.
Use slow hashes; do not use MD5 and SHA1.
Validating & filtering data
Validate all incoming data; use Laravel’s extensive validation rules.
Use Laravel’s in-built encryption; it’s not recommended to build your own.
Expire and destroy sessions after any significant change.
We hope that this post helped you gain an understanding of Laravel security basics and why it’s this popular among PHP developers. Without a doubt, it is an extremely versatile solution that empowers software creators to put security at the forefront of their online presence.
PHP frameworks are the most frequently chosen solution when it comes to web development. In the market, you can find a...