laravel-application-security-laravelplug.com

How To Improve Laravel Security in Application

Laravel Application Security

Laravel Security in Application is our today’s topic. Laravel is the most Popular PHP Framework. This framework in growing day by day. As a result, attackers are also active to exploit Laravel based application. In this article we will discuss and point out some topics regarding Laravel Application Security.

For taking security measures for any application, there are mainly two groups. One is Global and another one is language and framework specific. Now let’s talk about Laravel Security.

Lets take a list first, what are we discussing about Laravel Security-

  1. Enable SSL on Server
  2. Implement Content Security Policy
  3. Enable session and Cookie encryption
  4. Validate User Inputs
  5. Disable Debug Mode on Production
  6. Not to use GET METHOD for changing data
  7. Don’t put .env in public folder
  8. Authorization

 

Let’s jump into the ride.

  1. Enable SSL on Server: Always use https on live server. Because it transfer data securely and encrypted from server to server. Also when users see that LOCK icon, they feel safe to use the site.

 

      2. Implement Content Security Policy: Content Security Policy (CSP) is an extra layer of security that helps to detect and mitigate certain types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. These types of attacks are used for everything from data theft, to site defacement, to malware distribution. You can use meta tag to implement CSP in Header. For Example:

<meta http-equiv=”Content-Security-Policy”content=”default-src ‘self’; img-src https://*; child-src ‘none’;”>

3. Enable session and Cookie encryption: In Laravel Application, if you generate new Application key, it will take care of that issue. Never use others Application Key. Just run:

php artisan key:generate

for generating new app key in Laravel

4. Validate User Inputs: Never, Ever , I repeat, never ever trust user inputs. Always validate and filter user inputs. Also, it is a good practice, not to use $request->all for inputting data in the Database.

5. Disable Debug Mode on Production: This one is a common mistake for developers to keep “Debug” mode on in Production Site. This may expose various Application related details to users like Laravel Version, Crucial Configurations, Keys, Password, Used Third Party Services etc. So keep in mind, Debug mode OFF in Production.

6. Not to Using GET METHOD for changing data: It is “Good Practice”, not to use GET METHOD for updating or deleting data. User may directly hit in browser with different parameters. Also, use CSRF always in Submitted forms.

7. Don’t put .env in public folder: Some servers require to keep .env file in public folder. Avoid those servers.  And also please don’t put your .env file in public folder. It may be accessible for all. Which is a potential security risk.

8. Authorization: Authorization is another crucial point. Who is modifying whos data, audit log, error log, roles, permissions, gates, policies – everything should be strictly maintained in medum to large scale applications.

Tags: , ,

Editorial Staff

A Learner and trying to share what I learned!