At Agira, Technology Simplified, Innovation Delivered, and Empowering Business is what we are passionate about. We always strive to build solutions that boost your productivity.

,

Best Laravel Security Practices You Must Try It Out!

  • By Nithin Kumar C N
  • September 20, 2018
  • 991 Views

Laravel is one of the best PHP framework that are currently available and security is one important feature that we need to consider while designing web applications to assure the users that their data is secured. Laravel also provides several security mechanisms to secure the website. However best it is, it is  always best to ensure the quality of the final product by applying the best possible practices. In this blog, will discuss those best practices that we must follow while developing the Laravel applications.

Use the latest stable version

The most recommended best practice is to always use the latest stable version for the development of your Laravel application. The current stable version available is Laravel 5.7.

Laravel Security Features

Currently Laravel provides some best security features to reduce the vulnerabilities in the application as listed below,

  1. Laravel Authentication System
  2. Reduce Laravel Vulnerabilities From CSRF
  3. Protection against XSS (Cross Site Scripting)
  4. SQL Injection
  5. Laravel Security Packages

 

Laravel Authentication System

The guard defines the logic of authentication. It is a way of supplying the logic that’s used to identify the authenticated users. Basically Laravel provides different guards like session and token. The session guard maintains the state of the user in each request by using the cookies and the token guard to authenticate the user by checking the valid token in every request passes by.
Usually guard is used for defining the logic of authentication and similarly Providers is used to define how users are retrieved from your persistent storage. Laravel comes with two default authentication providers, one is  using eloquent and the other one is database query builder. Database authentication provider deals with the direct retrieval of the user credentials from the back-end storage but still they both differs by the process and similarly Eloquent provides an abstraction layer that does all the necessary things we require.

Best To Read: Introduction To E2E Testing In Angular CLI Using Protractor

 

Reduce Laravel Vulnerabilities From CSRF

Laravel typically uses CSRF tokens to make sure that external third parties couldn’t generate fake requests and should not breach the Laravel security. For this, Laravel automatically generates CSRF token for each active user session. When the request is invoked then Laravel compares the request token with the previously saved token in the user’s session. If the token is mismatched then the request is considered as invalid and it terminates the execution. Also, whenever you define an HTML form  in your application, you must include a hidden CSRF field so that the CSRF protection middleware will take care of the rest. In the latest Laravel version, they have created a new Blade directive @csrf to generate the token field.
For Example, you can see how i have used,

<form method=”POST” action=”/product”>
@csrf
</form>

 

SQL Injection

another added advantage of using Laravel’s Eloquent ORM is that it’s uses PDO parameter binding to avoid SQL injection. Parameter binding prevents intruders from modifying the intent of SQL Queries. For example, let’s consider a form field used to collect an e-mail address which might also be used for searching a user table. But instead of supplying an e-mail address the user will search for ‘nithin@example.com’ or 1=1 which will lead the form unsecured and the resulting query might look like this:
SELECT * FROM users WHERE email = ‘nithin@example.com’ or 1=1
From this you can understand what is mean by 1=1 syntax, this logical expression always returns true so as a result of this, all the records will be fetched from the users table.
Instead of passing the above expression, Intruders can also pass like  ‘nithin@example.com’;  drop table users In to the search table, then immediately the query will look like below.

SELECT * FROM users WHERE email = 'nithin@example.com'; drop table users;

 
When this query is executed, and the corresponding MySQL account happened to have the DROP privilege then the entire users table will be removed.
So to overcome all these, here comes the use of PDO parameter binding. The PDO parameter binding will change the supplied input into quoted.
For example, let’s assume to pass the query which is basically passed by the intruders,

SELECT * FROM users WHERE email = 'nithin@example.com' or 1=1

 
 
And now you can see how its changed into quoted format with help of PDO parameter binding,

SELECT * FROM users WHERE email = 'nithin@example.com or 1=1'

 
Now there will not be any possible email values matching to  ‘nithin@example.com or 1=1’, so obviously it will not return any values. Hopefully, you know how to handle the intruders now.

Cross-site scripting

Another case, consider if intruders passes the following string into a comment or user profile,

My list <script>alert("spam spam spam!")</script>

 
If this string is got to be saved in database without applying any filter, Once the string got saved, then it will be displayed in a web page as an alert windows to the end user. This attack is an example of cross-site scripting. This is just a simple case i have explained here for your understanding but likewise more major issues can come due to cross-site scripting.
Let check how the cross-site script issue can be solved by the Laravel. When a variable is rendered within escape tags then it will render the string like so and thus preventing the possibility of cross-site scripting. Ususally the escape tags can be rendered in a 3 different way as you can see here.

 {% raw %}
@{{}}
{% endraw %}

 
Once we render these escape tags then the query will get generated like this,

My list &lt;script&gt;alert("spam spam spam!")&lt;/script&gt;

 
We can also use double-brace syntax inside the blade templates to avoid the XSS attacks. For example

({{ $variable}}) .

 
Also you can use

{!! $variable !!}

 
If the data is placed inside the variable then it is safer to be displayed. 

Related: How To Create A Custom Validation Rule In Laravel

 

Laravel Security Packages

Laravel has several packages to secure the application. Following are some of the widely used Laravel security packages.
Laravel Security Component
 Laravel security component mainly provides security for the roles/objects and integrates Symfony security core in Laravel. It uses voters to check role based privileges for different roles so it could validate its security.

Laravel Security

Laravel security is one of the most frequently used packages and is known for removing XSS vulnerabilities in the codebase. It has been ported from Codeigniter 3 into Laravel 5.

Laravel-ACL

Laravel-ACL provides role based secured permissions to the Laravel authentication process. The package helps protecting routes and CRUD controller methods in the applications.
Also there are many laravel security packages are available but i have listed here few and if you want to know all those too then here is the link https://packalyst.com/packages/tag/security you can check it out! Hope you will find it helpful! Post us your queries & suggestions in comment box, we like to hear from you!

Nithin Kumar C N

Passionate Senior Software Developer, Expert in PHP, Laravel, JQuery, Angular, With 6 years of experience in web development, he strongly committed himself in delivering authentic applications. Also, he continuously update himself with new technologies & features which drives him to come up with blogs on unique topic.