Apply Laravel security best practices for auth, vulnerabilities, APIs, and deployment.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "laravel-security" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/laravel-security/SKILL.md 2. Save it as ~/.claude/skills/laravel-security/SKILL.md 3. Reload skills and tell me it's ready
Please review a Laravel project's security best practices checklist, focusing on authentication, authorization policies, CSRF, XSS prevention, safe Eloquent usage, API token protection, environment variable handling, and production deployment settings. Classify recommendations by high, medium, and low risk.
A prioritized security checklist highlighting key risks and recommended fixes.
I'm building an API with Laravel. Give me a security plan covering Sanctum vs. Passport selection, roles and permissions, rate limiting, input validation, sensitive field protection, minimal error disclosure, and defenses against common API attack surfaces.
A practical security design plan and implementation guidance for a Laravel API.
Summarize the most common security issues in Laravel projects, such as unauthorized access, mass assignment risks, SQL injection misuse, XSS, insecure file uploads, and debug configuration leaks. For each, provide a bad example, the correct approach, and audit tips.
A vulnerability-by-vulnerability security guide with explanations, fixes, and audit tips.
Comprehensive security guidelines for Laravel applications to protect against common vulnerabilities.
// config/app.php
'env' => env('APP_ENV', 'production'),
'debug' => (bool) env('APP_DEBUG', false), // CRITICAL: Never true in production
'key' => env('APP_KEY'), // Must be set: php artisan key:generate
// config/session.php
'secure' => env('SESSION_SECURE_COOKIE', true),
'http_only' => true,
'same_site' => 'lax',
// Verify APP_KEY is set at boot
// bootstrap/app.php or a service provider
if (empty(config('app.key'))) {
throw new RuntimeException('APP_KEY is not set. Run: php artisan key:generate');
}
# NEVER commit .env to version control
# .gitignore already includes .env by default
# Use .env.example with placeholders instead
DB_PASSWORD=
APP_KEY=
SANCTUM_TOKEN_PREFIX=
# Validate required variables at boot
// In AppServiceProvider::boot()
$requiredKeys = ['app.key', 'database.connections.mysql.database', 'database.connections.mysql.username'];
foreach ($requiredKeys as $key) {
if (empty(config($key))) {
throw new RuntimeException("Missing required config key: {$key}");
}
}
// AppServiceProvider::boot() or middleware
if (app()->environment('production')) {
URL::forceScheme('https');
request()->server->set('HTTPS', 'on');
}
// config/app.php for trusted proxies (load balancers)
// Use specific IP ranges — * trusts all, allowing X-Forwarded-* spoofing
// AWS: '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'
'trusted_proxies' => ['10.0.0.0/8', '172.16.0.0/12'],
// Force HTTPS in production via middleware
// app/Http/Middleware/ForceHttps.php
public function handle($request, Closure $next)
{
if (!$request->secure() && app()->environment('production')) {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
'%s%s',
'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
env('APP_URL') ? ',' . parse_url(env('APP_URL'), PHP_URL_HOST) : ''
)));
'expiration' => 60 * 24, // Token expiration in minutes (null = never)
'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),
// Issuing tokens with abilities
$token = $user->createToken('api-token', ['read', 'write'])->plainTextToken;
// Validate abilities on routes
Route::middleware('auth:sanctum')->group(function () {
Route::get('/orders', function () {
// User must have 'read' ability
abort_unless(Auth::user()->tokenCan('read'), 403);
// ...
})->middleware('abilities:read');
Route::post('/orders', function () {
// User must have 'write' ability
abort_unless(Auth::user()->tokenCan('write'), 403);
// ...
})->middleware('abilities:write');
});
// config/hashing.php
// Default is bcrypt. Argon2id is stronger.
'bcrypt' => [
'rounds' => env('BCRYPT_ROUNDS', 12), // Increase for stronger hashing
],
'argon' => [
'memory' => 65536,
'threads' => 4,
'time' => 4,
],
// Password validation in RegisterRequest
public function rules(): array
{
return [
'password' => [
'required',
'confirmed',
Password::min(12)
->letters()
->mixedCase()
->numbers()
…
Write idiomatic Go tests, benchmarks, fuzz tests, and improve coverage.
Run repo tasks, debug CI, and deliver fixes with verified evidence.
Learn frontend patterns for React, Next.js, state, performance, and UI best practices.
Handle HIPAA privacy, security, PHI, and breach compliance tasks correctly.
Explore ECC agents, skills, commands, and onboarding from the live repository.
Choose regex first, then add LLMs for low-confidence parsing edge cases.
Apply Django security best practices for safer auth, app defenses, and deployment.
Apply Spring Boot security best practices for authentication, authorization, and service hardening.
Learn Laravel production architecture patterns and core backend implementation practices.
Verify Laravel projects with environment checks, tests, security scans, and release readiness.
Learn secure Perl practices to prevent common code and web vulnerabilities.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.