How Laravel’s built-in security protects your web application
We love Laravel because it’s a clean, secure foundation for building incredible business tools. But we’ve never talked about how Laravel’s built-in security protects your web application from day one. In addition to cleaning up your code and applying updates; like we did for this London estate agency, it’s a good idea to enable all the security features of Laravel too.
What are Laravel’s built-in security features?
Laravel offers hashed passwords, CSRF protection, encryption and query sanitisation; these are the base ones. Beyond that, you can use authentication middleware, validate all your user inputs, keep all your dependencies up to date and apply best practices to things like passwords. However, out of the box, Laravel is extremely secure, and by doing things like avoiding raw queries, using double brace syntax in the blade templates, forcing HTTPS and running Laravel Purifier to keep code tidy, you can build on these base security features for an even more protected environment.
Now, let’s go into a bit more detail about each of Laravel’s built-in security features so you can understand why they’re so useful:
Protection from XSS
XSS or Cross-Site Scripting is a kind of attack where criminals put erroneous JavaScript into areas of your website, like the form text. Then, when users interact with that form or page, this script activates, and that could trigger ransomware or other kinds of attacks. With Laravel, you’ve got native support to protect from XSS attacks as it outputs code with escape tags as HTML. This, plus validating data, provides a good level of protection.
Laravel authentication system
You also need to make sure the right people are accessing your application. Laravel explains, “At its core, Laravel’s authentication facilities are made up of “guards” and “providers”. Guards define how users are authenticated for each request. For example, Laravel ships with a session guard which maintains state using session storage and cookies. […] Laravel [also] ships with support for retrieving users using Eloquent and the database query builder.” You can support logins from your database or with popular 3rd party services like Facebook and Google, too.
Protection from CSRF
In a CSRF or Cross-Site Request Forgery attack, 3rd parties generate fake requests on behalf of a user that they’re not actually requesting. Bad actors can use this access to post on their behalf, change settings or even transfer funds. To get around this, Laravel can use an AJAX call to create and integrate a token into every request. The goal is to get a match between the request token and the saved session token before any further actions can be taken.
SQL Injection
The last attack type that Laravel offers protection from is a code-injection technique. It’s the most common form of hacking. W3 explains “SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.” Laravel instead uses PDO binding via Laravel’s Eloquent ORM so that the client can’t modify the intent of queries. That means they won’t be able to make your SQL do things that it wasn’t intended to do. (And that’s a good thing.)
Want to see how Laravel can offer a secure, smooth-operating basis for your next web app? Talk to us today about your goals and required functionality.
