Laravel architecture was designed for MVC web applications, making it very powerful in terms of business logic and data presentation. The...
Laravel Security Best Practices – Features to Secure PHP Apps
- We will introduce Laravel’s built-in security features.
- We will also take a look at Laravel’s security best practices.
- See the table we prepared to summarize the Laravel security topic – we’d like to leave you with the main takeaways.
Also, how secure is Laravel itself? If any, which tools and software should we pair Laravel with to create a bullet-proof, secure environment?
In the following post, we’ll discuss several key components of Laravel security and recommended best practices for Laravel applications.
Let’s discuss some of the key out-of-the-box security features and how they work.
Laravel’s built-in Security Features
CSRF (cross-site request forgery) protection
Laravel uses the Form Classes Token Method (for short, CSRF token), which is enabled by default. You can see the token and a predefined CSRF filter embedded in the source code.
In the most simple terms, CSRF protection makes sure that each request actually comes for your app, not a potential XSS attack by a third party. If the CSRF filter detects a potentially threatening request, it returns the HTTP 500 error and denies access.
Laravel has many security features: protection against XSS and SQL Injection, CSRF protection for forms and many others. Thanks to the “guards”, you can even track every request on your site! Marcin Rosa, ASPER BROTHERS Developer
Laravel has many security features: protection against XSS and SQL Injection, CSRF protection for forms and many others. Thanks to the “guards”, you can even track every request on your site!
Marcin Rosa, ASPER BROTHERS Developer
Laravel comes with a native hash mechanism based on Bcrypt and Argon2 (the latter of which comprises two variants, Argon2i and Argon2id, which you can read more about in Laravel Hashing documentation).
Using Laravel’s built-in login (LoginController) and register (RegisterController) classes, you enable Bcrypt as the default method for saving user passwords, registration, and authentication.
You can also take other actions to build upon this out-of-the-box security feature, which we discuss later in this post.
Laravel will also ensure your cookies are bullet-proof, provided that you create and enable an application key (also known as the encryption key).
Depending on the Laravel version you’re working on, you’ll either need to add the key to the app.php file in the config folder (versions 5 and above) or in your application.php file in the config directory (versions 3 and below). There’s a comprehensive explanation of the differences in the Auth0 blog that you can follow.
Laravel features an encrypter that leverages the OpenSSL library to provide AES-256 and AES-128 encryption. To ensure that no encrypted data can be modified by an unauthorized party, Laravel signs encrypted values using a Message Authentication Code (MAC).
To enable this security feature, you must add the “key” option in the config/app.php configuration file, as discussed in detail in official Laravel encryption guidelines.
Laravel’s API allows you to access a whole array of databases and popular drivers, most prominently file (enabled by default in the config/session.php file), cookie, array, APC, Memcached, and Redis. The file driver is applied in Laravel by default as it’s considered a lightweight and versatile option, fitting for many web applications. However, Memcached and Redis are recommended for wider production environments, as they boost session performance.
As you can see, much Laravel security work is done upfront – especially if you decide to run with the default options and don’t require much customization (which is the recommended route in areas like encryption).
Now, let’s look at some of the best practices to follow if you want to contribute to your web application security further.
Laravel Security – Best Practices
For starters, let’s take a look at securing cookies.
When you go to your config directory, Laravel will automatically generate a new application/encryption key for you. However, it is generally advised to change it into a difficult, randomized password of at least 32 characters for double protection. You want to minimize the possibility of the breach as much as possible!
As discussed above, Laravel comes with a native hash mechanism based on Bcrypt and Argon2. The general rule is that for Laravel, slow hashes = good hashes. Hence, it would help if you made sure not to use weak hashing functions like MD5 and SHA1 (here’s a great explanatory piece that dives into the subject).
Validating & filtering all data
Here’s a golden rule– validate everything! Whether it involves your server, a GET or POST request, or comes via any other route. Laravel comes with a variety of validation rules and instructions on how to create your own safety.
Use in-built encryption
As in the case of hashing passwords, Laravel’s in-built encryption is the absolute best way to keep your web application on the safe side. Hence, it is strongly recommended to use the default encryption rather than building your own, where framework creators can’t guarantee safety.
Expiring and destroying HTTP sessions
HTTP sessions store a certain amount of data about the app’s users. Hence, it is absolutely crucial that you destroy sessions after any significant state change to the web app, such as a password or security update. For more information, we recommend that you look into Laravel session management documentation.
Apart from the features discussed above, there are other important security areas beyond this post’s scope but worth looking into.
- keeping SSL/TLS configurations up to date,
- limiting Requests to Prevent DDoS attacks,
- implementing a Content Security Policy,
- application security monitoring.
Here’s a comprehensive checklist on the Laravel News blog that speaks about these and other security features.
Laravel security summary
As we wrap this post, we’d like to leave you with the main takeaways – refer to this table whenever need be!
Change automatically generated application/encryption key into a randomized password of at least 32 characters.
Use slow hashes; do not use MD5 and SHA1.
Validating & filtering data
Validate all incoming data; use Laravel’s extensive validation rules.
Use Laravel’s in-built encryption; it’s not recommended to build your own.
Expire and destroy sessions after any significant change.
We hope that this post helped you gain an understanding of Laravel security basics and why it’s this popular among PHP developers. Without a doubt, it is an extremely versatile solution that empowers software creators to put security at the forefront of their online presence.
PHP frameworks are the most frequently chosen solution when it comes to web development. In the market, you can find a...