---

name: laravel-security description: Laravel security best practices for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. origin: ECC

Laravel Security Best Practices

Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.

When to Activate

• Adding authentication or authorization
• Handling user input and file uploads
• Building new API endpoints
• Managing secrets and environment settings
• Hardening production deployments

How It Works

• Middleware provides baseline protections (CSRF via VerifyCsrfToken, security headers via SecurityHeaders).
• Guards and policies enforce access control (auth:sanctum, $this->authorize, policy middleware).
• Form Requests validate and shape input (UploadInvoiceRequest) before it reaches services.
• Rate limiting adds abuse protection (RateLimiter::for('login')) alongside auth controls.
• Data safety comes from encrypted casts, mass-assignment guards, and signed routes (URL::temporarySignedRoute + signed middleware).

Core Security Settings

• APP_DEBUG=false in production
• APP_KEY must be set and rotated on compromise
• Set SESSION_SECURE_COOKIE=true and SESSION_SAME_SITE=lax (or strict for sensitive apps)
• Configure trusted proxies for correct HTTPS detection

Session and Cookie Hardening

• Set SESSION_HTTP_ONLY=true to prevent JavaScript access
• Use SESSION_SAME_SITE=strict for high-risk flows
• Regenerate sessions on login and privilege changes

Authentication and Tokens

• Use Laravel Sanctum or Passport for API auth
• Prefer short-lived tokens with refresh flows for sensitive data
• Revoke tokens on logout and compromised accounts

Example route protection:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->get('/me', function (Request $request) {
    return $request->user();
});

Password Security

• Hash passwords with Hash::make() and never store plaintext
• Use Laravel's password broker for reset flows

use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\Rules\Password;

$validated = $request->validate([
    'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()],
]);

$user->update(['password' => Hash::make($validated['password'])]);

Authorization: Policies and Gates

• Use policies for model-level authorization
• Enforce authorization in controllers and services

$this->authorize('update', $project);

Use policy middleware for route-level enforcement:

use Illuminate\Support\Facades\Route;

Route::put('/projects/{project}', [ProjectController::class, 'update'])
    ->middleware(['auth:sanctum', 'can:update,project']);

Validation and Data Sanitization

• Always validate inputs with Form Requests
• Use strict validation rules and type checks
• Never trust request payloads for derived fields

Mass Assignment Protection

• Use $fillable or $guarded and avoid Model::unguard()
• Prefer DTOs or explicit attribute mapping

SQL Injection Prevention

• Use Eloquent or query builder parameter binding
• Avoid raw SQL unless strictly necessary

DB::select('select * from users where email = ?', [$email]);

XSS Prevention

• Blade escapes output by default ({{ }})
• Use {!! !!} only for trusted, sanitized HTML
• Sanitize rich text with a dedicated library

CSRF Protection

• Keep VerifyCsrfToken middleware enabled
• Include @csrf in forms and send XSRF tokens for SPA requests

For SPA authentication with Sanctum, ensure stateful requests are configured:

// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),

File Upload Safety

• Validate file size, MIME type, and extension
• Store uploads outside the public path when possible
• Scan files for malware if required

final class UploadInvoiceRequest extends FormRequest
{
    public function authorize(): bool
    {
        return (bool) $this->user()?->can('upload-invoice');
    }

    public function rules(): array
    {
        return [
            'invoice' => ['required', 'file', 'mimes:pdf', 'max:5120'],
        ];
    }
}

$path = $request->file('invoice')->store(
    'invoices',
    config('filesystems.private_disk', 'local') // set this to a non-public disk
);

Rate Limiting

• Apply throttle middleware on auth and write endpoints
• Use stricter limits for login, password reset, and OTP

use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('login', function (Request $request) {
    return [
        Limit::perMinute(5)->by($request->ip()),
        Limit::perMinute(5)->by(strtolower((string) $request->input('email'))),
    ];
});

Secrets and Credentials

• Never commit secrets to source c