--- id: daily-laravel-security name: "laravel-security" url: https://skills.yangsir.net/skill/daily-laravel-security author: affaan-m domain: security tags: ["laravel", "security", "web-security", "php", "vulnerability-prevention"] install_count: 4100 rating: 4.40 (20 reviews) github: https://github.com/affaan-m/everything-claude-code --- # laravel-security > Laravel 应用综合安全指南,防御常见漏洞,涵盖认证授权、用户输入处理、文件上传、API 端点和密钥管理 **Stats**: 4,100 installs · 4.4/5 (20 reviews) ## Before / After 对比 ### 使用效果对比 **Before**: 手动完成Laravel 应用综合安全指相关任务,需要反复操作和确认,整个过程大约需要100分钟,容易出错且效率低下 **After**: 使用该 Skill 自动化处理,智能分析和执行,1分钟内完成全部工作,准确率高且流程标准化 | Metric | Before | After | Change | |---|---|---|---| | 效率提升 | 100分钟 | 1分钟 | -99% | ## Readme # laravel-security # Laravel Security Best Practices Comprehensive security guidance for Laravel applications to protect against common vulnerabilities. ## When to Activate - Adding authentication or authorization - Handling user input and file uploads - Building new API endpoints - Managing secrets and environment settings - Hardening production deployments ## How It Works - Middleware provides baseline protections (CSRF via `VerifyCsrfToken`, security headers via `SecurityHeaders`). - Guards and policies enforce access control (`auth:sanctum`, `$this->authorize`, policy middleware). - Form Requests validate and shape input (`UploadInvoiceRequest`) before it reaches services. - Rate limiting adds abuse protection (`RateLimiter::for('login')`) alongside auth controls. - Data safety comes from encrypted casts, mass-assignment guards, and signed routes (`URL::temporarySignedRoute` + `signed` middleware). ## Core Security Settings - `APP_DEBUG=false` in production - `APP_KEY` must be set and rotated on compromise - Set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax` (or `strict` for sensitive apps) - Configure trusted proxies for correct HTTPS detection ## Session and Cookie Hardening - Set `SESSION_HTTP_ONLY=true` to prevent JavaScript access - Use `SESSION_SAME_SITE=strict` for high-risk flows - Regenerate sessions on login and privilege changes ## Authentication and Tokens - Use Laravel Sanctum or Passport for API auth - Prefer short-lived tokens with refresh flows for sensitive data - Revoke tokens on logout and compromised accounts Example route protection: ``` use Illuminate\Http\Request; use Illuminate\Support\Facades\Route; Route::middleware('auth:sanctum')->get('/me', function (Request $request) { return $request->user(); }); ``` ## Password Security - Hash passwords with `Hash::make()` and never store plaintext - Use Laravel's password broker for reset flows ``` use Illuminate\Support\Facades\Hash; use Illuminate\Validation\Rules\Password; $validated = $request->validate([ 'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()], ]); $user->update(['password' => Hash::make($validated['password'])]); ``` ## Authorization: Policies and Gates - Use policies for model-level authorization - Enforce authorization in controllers and services ``` $this->authorize('update', $project); ``` Use policy middleware for route-level enforcement: ``` use Illuminate\Support\Facades\Route; Route::put('/projects/{project}', [ProjectController::class, 'update']) ->middleware(['auth:sanctum', 'can:update,project']); ``` ## Validation and Data Sanitization - Always validate inputs with Form Requests - Use strict validation rules and type checks - Never trust request payloads for derived fields ## Mass Assignment Protection - Use `$fillable` or `$guarded` and avoid `Model::unguard()` - Prefer DTOs or explicit attribute mapping ## SQL Injection Prevention - Use Eloquent or query builder parameter binding - Avoid raw SQL unless strictly necessary ``` DB::select('select * from users where email = ?', [$email]); ``` ## XSS Prevention - Blade escapes output by default (`{{ }}`) - Use `{!! !!}` only for trusted, sanitized HTML - Sanitize rich text with a dedicated library ## CSRF Protection - Keep `VerifyCsrfToken` middleware enabled - Include `@csrf` in forms and send XSRF tokens for SPA requests For SPA authentication with Sanctum, ensure stateful requests are configured: ``` // config/sanctum.php 'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')), ``` ## File Upload Safety - Validate file size, MIME type, and extension - Store uploads outside the public path when possible - Scan files for malware if required ``` final class UploadInvoiceRequest extends FormRequest { public function authorize(): bool { return (bool) $this->user()?->can('upload-invoice'); } public function rules(): array { return [ 'invoice' => ['required', 'file', 'mimes:pdf', 'max:5120'], ]; } } ``` ``` $path = $request->file('invoice')->store( 'invoices', config('filesystems.private_disk', 'local') // set this to a non-public disk ); ``` ## Rate Limiting - Apply `throttle` middleware on auth and write endpoints - Use stricter limits for login, password reset, and OTP ``` use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Http\Request; use Illuminate\Support\Facades\RateLimiter; RateLimiter::for('login', function (Request $request) { return [ Limit::perMinute(5)->by($request->ip()), Limit::perMinute(5)->by(strtolower((string) $request->input('email'))), ]; }); ``` ## Secrets and Credentials - Never commit secrets to source control - Use environment variables and secret managers - Rotate keys after exposure and invalidate sessions ## Encrypted Attributes Use encrypted casts for sensitive columns at rest. ``` protected $casts = [ 'api_token' => 'encrypted', ]; ``` ## Security Headers - Add CSP, HSTS, and frame protection where appropriate - Use trusted proxy configuration to enforce HTTPS redirects Example middleware to set headers: ``` use Illuminate\Http\Request; use Symfony\Component\HttpFoundation\Response; final class SecurityHeaders { public function handle(Request $request, \Closure $next): Response { $response = $next($request); $response->headers->add([ 'Content-Security-Policy' => "default-src 'self'", 'Strict-Transport-Security' => 'max-age=31536000', // add includeSubDomains/preload only when all subdomains are HTTPS 'X-Frame-Options' => 'DENY', 'X-Content-Type-Options' => 'nosniff', 'Referrer-Policy' => 'no-referrer', ]); return $response; } } ``` ## CORS and API Exposure - Restrict origins in `config/cors.php` - Avoid wildcard origins for authenticated routes ``` // config/cors.php return [ 'paths' => ['api/*', 'sanctum/csrf-cookie'], 'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], 'allowed_origins' => ['https://app.example.com'], 'allowed_headers' => [ 'Content-Type', 'Authorization', 'X-Requested-With', 'X-XSRF-TOKEN', 'X-CSRF-TOKEN', ], 'supports_credentials' => true, ]; ``` ## Logging and PII - Never log passwords, tokens, or full card data - Redact sensitive fields in structured logs ``` use Illuminate\Support\Facades\Log; Log::info('User updated profile', [ 'user_id' => $user->id, 'email' => '[REDACTED]', 'token' => '[REDACTED]', ]); ``` ## Dependency Security - Run `composer audit` regularly - Pin dependencies with care and update promptly on CVEs ## Signed URLs Use signed routes for temporary, tamper-proof links. ``` use Illuminate\Support\Facades\URL; $url = URL::temporarySignedRoute( 'downloads.invoice', now()->addMinutes(15), ['invoice' => $invoice->id] ); ``` ``` use Illuminate\Support\Facades\Route; Route::get('/invoices/{invoice}/download', [InvoiceController::class, 'download']) ->name('downloads.invoice') ->middleware('signed'); ``` Weekly Installs243Repository[affaan-m/everyt…ude-code](https://github.com/affaan-m/everything-claude-code)GitHub Stars94.4KFirst Seen6 days agoSecurity Audits[Gen Agent Trust HubPass](/affaan-m/everything-claude-code/laravel-security/security/agent-trust-hub)[SocketPass](/affaan-m/everything-claude-code/laravel-security/security/socket)[SnykPass](/affaan-m/everything-claude-code/laravel-security/security/snyk)Installed oncodex232opencode201cursor201gemini-cli200kimi-cli200amp200 --- *Source: https://skills.yangsir.net/skill/daily-laravel-security* *Markdown mirror: https://skills.yangsir.net/api/skill/daily-laravel-security/markdown*