Laravel is a popular development platform that is well known for its performance and the active user community. Out of the box, Laravel is pretty secure – but, of course, no framework could claim to be 100% secure.
The good thing about Laravel security is that whenever a loophole is discovered, the maintenance team takes care of it ASAP. However, as a developer, you should also focus on the security aspects of your Laravel 5 app.
Laravel is a development framework. As such, it won’t make your server more secure, but your application. Laravel features allow for clean and protected information unless you’re utilizing Laravel with crude questions.
In this article, I have attempted to cover the major security loopholes a Laravel developer might face, and how to fix them.
To demonstrate the ideas discussed in this article, I have used a Laravel-based management system
You might also like: Ultimate PHP Security Best Practices
Prerequisites:
For the purpose of this article, I assume that your Laravel application is installed on a web server. My setup is:
- Laravel 5.5
- PHP 7.1
- MySQL
So to make sure that I don’t get troubled with server issues, I have used Cloudways Laravel cloud hosting which is reputed for its great dev stack right out of the box. Just simply sign-up for a free account on Cloudways and quickly host Laravel project.
Keep Your Apps Secure on Cloud
Cloudways offers 2FA, free SSL, and more advanced security features on managed servers that keep your application safe.
Laravel Security Features
Laravel hacking is a common problem that can further cause vulnerabilities to other supporting XSS and different files. Most casualties of website hacks find that their site pages are diverted to other malicious websites.
Laravel offers following security features to allow developers reduce the Laravel vulnerabilities in the application.
- Laravel Authentication System
- Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery)
- Protection against XSS (Cross Site Scripting)
- SQL Injection
- Improve Laravel Application Security
- Laravel Security Packages
Laravel Security Features
Laravel offers the following security features to allow developers to reduce Laravel vulnerabilities in the application.
Laravel Authentication System
Laravel hacking is a common problem that can further cause vulnerabilities to other supporting XSS and different files. Most casualties of website hacks find that their site pages are diverted to other malicious websites.
Laravel already has a robust user authentication process in place with the associated boilerplate code available in the scaffolding.
Laravel uses “providers” and “guards” to facilitate the authentication process. Guards authenticate users for each request they make, while providers facilitate user retrieval from the database.
As a developer, all you have to do is to set up the database, controllers and models. During the process, authentication features are built into the app.
Read More About: User Authentication in Laravel
Reduce Laravel Vulnerabilities From CSRF (Cross Site Request Forgery)
Laravel typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Laravel security vulnerabilities.
For this, Laravel creates and integrates a valid token into every request that comes from a form of through an AJAX call.
When the request is invoked, Laravel compares the request token with the one saved in the user’s session. If the token do not match, the request is classified as invalid and no further action is executed.
If you are manually creating forms in standard HTML using Blade templates (not a recommended choice), you must pass the CSRF token there as shown below:
<form name="test">
{!! csrf_field() !!}
<!-- Other inputs can come here-->
</form>
Read More About: Enable Laravel CSRF Protection
Protection against XSS (Cross Site Scripting)
During XSS attacks, the attacker enters JavaScript (usually into a form’s text areas) into your website. Now, whenever new visitors will access the affected page of form, the script will be executed with malicious impact.
Consider the scenario where a blogging platform allows users to post comments on blog posts. Now in this scenario, a user with malicious intent enters the following JavaScript code in the comments:
<script>alert("You are hacked")</script>
Now if there is no XSS protection in place the Laravel vulnerabilities will increase, as the JavaScript will execute every time the page reloads. While the example code is not malicious in itself, it is the perfect example that demonstrates the full extent of this attack.
Laravel offers native support that protects the code from XSS attacks. The feature kicks in automatically and protects the database in the process. As a result, any code that contains escape tags is outputted as HTML, as shown below:
<script>alert("You are hacked")</script>
Read More About: Laravel Validation and User Input Sanitization to Prevent XSS Exploits
SQL Injection
Laravel’s Eloquent ORM uses PDO binding that protects from SQL injections. This feature ensures that no client could modify the intent of the SQL queries.
Consider the example of the form used to collect users’ email address from a database. the form will search for an email address, for instance, “[email protected]”. Now imagine that the SQL query is modified to:
SELECT * FROM users WHERE email = '[email protected]' or 1=1
In the above example, 1=1 is a simple logical expression that always evaluates to be true. If it is attached to the above query with the OR condition, the query will fetch all records from the table because the SELECT condition will evolve to be true.
Now consider another improvisation of the attack in which the query is modified directly to the command “drop table users” and instead of the email address, “[email protected]” is written. The query will look like:
SELECT * FROM users WHERE email = '[email protected]'; drop table users;
When this query is executed, the table “users” will be removed from the database.
When the PDO parameter binding is in place, the input is in quotes and the query will look like:
SELECT * FROM users WHERE email = '[email protected] or 1=1'
Since no records will match with either the email or the “1=1”, the query will not return anything.
Laravel provides other ways of talking to databases, such as raw SQL queries. Yet, Eloquent remains the most popular option. Learning how to use the ORM because it helps prevent SQL injection attacks caused by malicious SQL queries.
Read More About: Protect a PHP Website from SQL Injection Attacks
Improve Laravel Application Security
Thanks to the inbuilt Laravel security features, the framework is already much more secure than other PHP framework. However, there are a number of things you could do to make your Laravel code more secure.
These few things allows you to make your application risk-free from all the possible code attacks and enhances its security to the greater extent.
Prevent SQL injection By Avoiding Raw Queries:
Laravel uses PDO binding to prevent SQL injection attacks because no variable gets pass on to the database without validation. Developers, however still opt for raw SQL for various reasons.
If this is the case with you, you should always use well prepared SQL queries to prevent mishaps. Consider the following statement that looks ripe for SQL injection:
Route::get('this-is-prone-to-sql-injection', function() {
$name = "'Pardeep' OR 1=1";
return DB::select(
DB::raw("SELECT * FROM users WHERE name = $name"));
});
Here the statement 1=1 used in the OR condition will result in returning all the rows in the users table. This can be prevented by using the following code instead:
Route::get('safe-from-sql-injection', function() {
$name = "'Pardeep' OR 1=1";
return DB::select(
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));
});
Laravel replaces the question marks with the query variable, automatically escaping the input variables. This protects the code from SQL injection attacks.
Force HTTPS if Your Application is Exchanging Sensitive Information
When you deploy your website on HTTP, all the data exchanged including passwords and others are sent in plain content. Thus could be easily stolen by anyone in between the transmission. So to keep this information safe, always deploy your web applications on HTTPS to safeguard its sensitive information.
You could simply setup SSL certificate on your website by getting little assistance from any Laravel developer who will shift your application from HTTP to HTTPS easily. While to hide certain routes, you could use the below defined filter which will redirect users to a secured route.
Route::filter('https', function() {
if ( ! Request::secure())
return Redirect::secure(URI::current());
});
Read More About: Setting up HTTPS SSL Certificates on Laravel
Escape Content to Prevent XSS
To avoid XSS attacks you should be using the double brace syntax in the blade templates: ({{ $variable }})
Only use this {!! $variable !!} syntax when you are sure that the data in the variable is safer to be displayed.
Use Laravel Purifier to enhance your Security
The double curly braces in Laravel ensures that no raw HTML is yielded to the customer, however if you want to yield some HTML variable to your customer from your database, then you can utilize HTML Purifier which is an all-round kept up instrument that will tide up your code and will deal with omitted and missing HTML codes.
Laravel Security Packages:
Laravel offers several packages to enhance the security of its applications. While i can not discuss all of them, i will mention the most popular security focused Laravel packages:
Laravel Security Component: Laravel security component mainly provides security for the roles/objects and integrates Symfony security core in Laravel. It uses voters to check role based privileges to different roles, so could validate its security.
Laravel Security: Laravel security is one of the most frequently used packages and is known for removing XSS vulnerabilities in the codebase. It has been ported from Codeigniter 3 into Laravel 5.
Laravel-ACL: Laravel-ACL provides role based secured permissions to the Laravel authentication process. The package helps protecting routes and CRUD controller methods in the applications.
Conclusion
Obviously, there are lot of other things which you could do to further secure your Laravel application. Yet still, the framework significantly ensures a much more secure application by eliminating these different attack factors through its finest inbuilt Laravel security features. As these features are rightly developed to testify your all application security needs.
Customer Review at 
“Cloudways hosting has one of the best customer service and hosting speed”
Sanjit C [Website Developer]
Inshal Ali
Inshal is a Content Marketer at Cloudways. With background in computer science, skill of content and a whole lot of creativity, he helps business reach the sky and go beyond through content that speaks the language of their customers. Apart from work, you will see him mostly in some online games or on a football field.
