CSRF (Cross-Site Request Forgery) protection in Laravel automatically generates and validates tokens for each active user session. It's implemented through the VerifyCsrfToken middleware and @csrf Blade directive in forms.
Laravel provides XSS (Cross-Site Scripting) protection by automatically escaping output using {{ }} Blade syntax. HTML entities are converted to prevent script injection. Use {!! !!} for trusted content that needs to render HTML.
Laravel prevents SQL injection using PDO parameter binding in the query builder and Eloquent ORM. Query parameters are automatically escaped. Never concatenate strings directly into queries.
Signed routes are URLs with a signature that ensures they haven't been modified. Created using URL::signedRoute() or URL::temporarySignedRoute(). Useful for email verification or temporary access links.
Laravel includes security headers through middleware. Headers like X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options are set by default. Additional headers can be added via middleware.
Rate limiting uses the throttle middleware with configurable attempt counts and time windows. Can limit by IP, user ID, or custom parameters. Supports Redis for distributed applications.
API authentication uses tokens, OAuth, or JWT. Laravel provides Passport and Sanctum for API auth. Supports multiple authentication guards and token abilities.
Advanced rate limiting using multiple strategies. Support token bucket, leaky bucket algorithms. Handle distributed rate limiting. Implement custom response headers.
Laravel provides encryption using the Crypt facade. Data is encrypted using OpenSSL and AES-256-CBC. Encryption key is stored in .env file. All encrypted values are signed to prevent tampering.
Implement password policies using validation rules. Check length, complexity, history. Handle password expiration and rotation. Support password strength indicators.
RBAC implements authorization using roles and permissions. Can use built-in Gates and Policies or packages like Spatie Permissions. Support hierarchical roles and permission inheritance.
CORS (Cross-Origin Resource Sharing) is handled through middleware. Configure allowed origins, methods, headers. Support preflight requests. Handle credentials and caching.
Request validation ensures input safety. Use Form Requests, validation rules. Handle file uploads securely. Prevent mass assignment vulnerabilities. Sanitize input data.
Laravel automatically hashes passwords using the Hash facade and bcrypt or Argon2 algorithms. Never store plain-text passwords. Password hashing is handled by the HashedAttributes trait in the User model.
Laravel sets HTTP-only flag on cookies by default to prevent JavaScript access. Session cookies are automatically HTTP-only. Config can be modified in config/session.php.
Mass assignment protection prevents unintended attribute modification through $fillable and $guarded properties in models. Attributes must be explicitly marked as fillable to allow mass assignment.
Laravel secures sessions using encrypted cookies, CSRF protection, and secure configuration options. Sessions can be stored in various drivers (file, database, Redis). Session IDs are regularly rotated.
Secure file uploads by validating file types, size limits, and scanning for malware. Store files outside webroot. Use Storage facade for safe file operations. Implement proper permissions.
2FA can be implemented using packages or custom solutions. Support TOTP, SMS, or email verification. Handle backup codes and device remembering. Integrate with authentication flow.
Secure downloads using signed URLs or tokens. Validate user permissions. Handle file streaming and range requests. Implement download tracking and rate limiting.
Security event monitoring and alerting. Track suspicious activities. Implement IDS/IPS features. Handle security incident response. Support forensics.
Secure API key generation and storage. Handle key rotation and revocation. Implement key permissions. Support multiple key types. Handle key distribution.
Audit logging tracks user actions and changes. Use model events, observers, or packages. Log authentication attempts, data modifications. Support audit trail review and reporting.
Implement full OAuth2 server using Passport. Handle all grant types. Support scope validation. Implement token management. Handle client credentials.
Implement security standards compliance (GDPR, HIPAA). Handle data privacy requirements. Support security audits. Implement compliance reporting.
Secure WebSocket authentication and authorization. Handle connection encryption. Implement message validation. Support secure broadcasting.
