Laravel - Security


Security is important feature while designing web applications. It assures the users of the website that their data is secured. Laravel provides various mechanisms to secure website. Some of the features are listed below −

  • Storing Passwords − Laravel provides a class called “Hash” class which provides secure Bcrypt hashing. The password can be hashed in the following way.

$password = Hash::make('secret');
  • make() function will take a value as argument and will return the hashed value. The hashed value can be checked using the check() function in the following way.

Hash::check('secret', $hashedPassword)

The above function will return Boolean value. It will return true if password matched or false otherwise.

  • Authenticating Users − The other main security features in Laravel is authenticating user and perform some action. Laravel has made this task easier and to do this we can use Auth::attempt method in the following way.

if (Auth::attempt(array('email' => $email, 'password' => $password))) {
   return Redirect::intended('home');

The Auth::attempt method will take credentials as argument and will verify those credentials against the credentials stored in database and will return true if it is matched or false otherwise.

  • CSRF Protection/Cross-site request forgery (XSS) − Cross-site scripting (XSS) attacks happen when attackers are able to place client-side JavaScript code in a page viewed by other users. To avoid this kind of attack, you should never trust any user-submitted data or escape any dangerous characters. You should favor the double-brace syntax ({{ $value }}) in your Blade templates, and only use the {!! $value !!} syntax, where you're certain the data is safe to display in its raw format.

  • Avoiding SQL injection − SQL injection vulnerability exists when an application inserts arbitrary and unfiltered user input in an SQL query. By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects (PDO) class behind the scenes. PDO uses prepared statements, which allows you to safely pass any parameters without having to escape and sanitize them.

  • Cookies – Secure by default − Laravel makes it very easy to create, read, and expire cookies with its Cookie class. In Laravel all cookies are automatically signed and encrypted. This means that if they are tampered with, Laravel will automatically discard them. This also means that you will not be able to read them from the client side using JavaScript.

  • Forcing HTTPS when exchanging sensitive data − HTTPS prevents attackers on the same network to intercept private information such as session variables, and log in as the victim.