Security Features in Laravel

Sharathkumar hegde
Mar 22 · 3 min read

In this article, I am gonna discuss some of the security vulnerabilities and how we can avoid those in Laravel application.

Following are some of the security vulnerabilities we encounter in web application and how we can mitigate those in Laravel application:

#1 Cross-Site Request Forgery(CSRF)

Here, third-party application forges the form request and try to submit the malicious request to your web application. This can be avoided by using Laravel CSRF token.

When the request is invoked, Laravel compares the request token with the one saved in the user’s session. If the token does not match, the request is classified as invalid and no further action is executed.

If you are building custom form, include “csrf_field()” in your form request to avoid CSRF vulnerability.

<form id="#myForm">
{{csrf_field()}}
<!-- Other inputs come here-->

#2 Cross Site Scripting (XSS)

In an XSS attack, attacker inputs Javascript function, usually in the text field of the form, into your website. Now, whenever new visitors will access the affected page of the form, the script will be executed with malicious impact.

To avoid XSS attacks you should be using the double brace syntax in the blade templates: ({{ $varaible }})

#3 SQL Injection

Consider a form which collects user’s email address to fetch the user details. Now imagine SQL query modified to :

select * from users where email= 'sharath@example.com' or 1=1;

In the above example, 1=1 is a simple logical expression that always evaluates to be true. If it is attached to the above query with the OR condition, the query will fetch all records from the table because the SELECT condition will evolve to be true.

These attacks can be prevented by using Laravel’s Eloquent ORM which uses PDO bindings to protect from SQL injection.

Also, avoid using raw queries to prevent SQL injection.

#4 Use HTTPS

If your site is processing sensitive information then make sure to deploy your site to HTTPS to safeguard its sensitive information. HTTPS avoids third-party traffic eavesdropping.

HTTPS also prevents session-hijacking where third-party pose as a requester between the remote server and the client.

#5 Distributed Denial of Service(DDOS)

If you flood a website with more traffic than it was built to handle, you’ll overload the website’s server and it’ll be nigh-impossible for the website to serve up its content to visitors who are trying to access it.

Often, this kind of traffic overload is malicious, as an attacker floods a website with an overwhelming amount of traffic to essentially shut it down for all users.

Such an attack can be prevented using the Web Application Firewall(WAF). In terms of Laravel application level, the throttle can be used to block the request. But, DDOS attack should be blocked at the transport layer rather than at the application layer.

These are some of the security vulnerabilities and how we can prevent them in Laravel application.

Thanks!!Happy Reading!!