laravel-security

# Laravel Security Best Practices Comprehensive security guidance for Laravel applications to protect against common vulnerabilities. ## When to Activate - Adding authentication or authorization - Handling user input and file uploads - Building new API endpoints - Managing secrets and environment settings - Hardening production deployments ## How It Works - Middleware provides baseline protections (CSRF via `VerifyCsrfToken`, security headers via `SecurityHeaders`). - Guards and policies enforce access control (`auth:sanctum`, `$this->authorize`, policy middleware). - Form Requests validate and shape input (`UploadInvoiceRequest`) before it reaches services. - Rate limiting adds abuse protection (`RateLimiter::for('login')`) alongside auth controls. - Data safety comes from encrypted casts, mass-assignment guards, and signed routes (`URL::temporarySignedRoute` + `signed` middleware). ## Core Security Settings - `APP_DEBUG=false` in production - `APP_KEY` must be set and rotated on compromise - Set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax` (or `strict` for sensitive apps) - Configure trusted proxies for correct HTTPS detection ## Session and Cookie Hardening - Set `SESSION_HTTP_ONLY=true` to prevent JavaScript access - Use `SESSION_SAME_SITE=strict` for high-risk flows - Regenerate sessions on login and privilege changes ## Authentication and Tokens - Use Laravel Sanctum or Passport for API auth - Prefer short-lived tokens with refresh flows for sensi...