Skip to content

Instantly share code, notes, and snippets.

@ArielMejiaDev
Created October 28, 2021 22:58
Show Gist options
  • Save ArielMejiaDev/f607d01c750db6164944d9c23aaa877a to your computer and use it in GitHub Desktop.
Save ArielMejiaDev/f607d01c750db6164944d9c23aaa877a to your computer and use it in GitHub Desktop.
security-in-laravel.md

Security in Laravel: How to Protect Your App

Code Injections

SQL Injections

User::query()->create($request->all());
{
    "name": "John Doe",
    "email": "john@doe.com",
    "role_id": "admin" 
}
$user->fill($request->all());
$user->save();

Set Fillable Property

protected $fillable = ['name', 'email', 'password', 'role_id'];
php artisan make:request UserRequest
public function authorize() 
{
    return $this->user()->check(); 
} 

public function rules() 
{     
    return [
        'name' => ['required', 'string', 'min:5', 'max:255'],
        'email' => ['required', 'email', 'unique:users'],
        'password' =>   ['required', Password::default()]
    ]; 
}

XSS Attack

Restrict Special Tags in the Server

Does Not Return Special Tags in the Views

<p>{{ $user.name }}</p>
<p>{!! $user.name !!}</p>

Using Another PHP Template Engine

{{ e($user.name) }}

Request Origin

Route::get('dashboard', DashboardController::class)    ->middleware('throttle:3,10');
protected function configureRateLimiting() 
{  
    RateLimiter::for('global', function (Request $request) {
        return Limit::perMinute(1000);     
    }); 
}
Route::get('dashboard', DashboardController::class)->middleware('throttle:global');

Prevent CSRF Attack

<form method="POST" action="/profile">
    @csrf
    <!-- Equivalent to... -->
    <input type="hidden" name="_token" value="{{ csrf_token() }}" />
</form>
protected $except = [
    'stripe/*',
    'http://example.com/foo/bar',
    'http://example.com/foo/*',
];

Prevent DOS Attack

DOS Attacks That Send Large Files to Consume the Server Memory

//file is exactly 512 kilobytes.. 
'photo' => ['mimes:jpg,bmp,png', 'file', 'size:512'] 
// file max size is 512 kilobytes.. 
'photo' => ['mimes:jpg,bmp,png', 'file', 'max:512']

Additional Security Tips

Use a Honeypot on Any Public Form

// this input should never comes in the request 
'honey_pot_field' => ['prohibited'],

Set Tokens Lifetime

For Laravel Passport:

/** 
 * Register any authentication / authorization services. 
 * 
 * @return void 
*/ 
public function boot() 
{    
    $this->registerPolicies();
    Passport::routes();
    Passport::tokensExpireIn(now()->addDays(15));
    Passport::refreshTokensExpireIn(now()->addDays(30));
    Passport::personalAccessTokensExpireIn(now()->addMonths(6));
}

For Laravel Sanctum:

php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
'expiration' => null,

Use Authorization Features

<button v-if="$page.props.auth.user.permissions.admin_action.create">Admin Action</button> 
<td v-if="product.permissions.view">{{ product.name }}</td>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment