Building secure Laravel applications might feel like an afterthought sometimes, but Stephen Rees-Carter dropped some serious knowledge at Laracon AU 2024 that made me rethink a few things. Stephen’s an ethical hacker who’s seen it all — and by that, I mean he’s hacked into a lot of Laravel apps, all to help devs like us see the cracks we tend to miss.
Inspired by his insights, I wrote up a guide to some of the most overlooked security steps that can make a huge difference in protecting your Laravel projects. Here’s a taste of what’s inside:
- Outdated Packages – We all love libraries to speed things up, but if you’re not updating regularly, you’re basically leaving the door open. Run
composer updatemore often than you think you need to. - Secured Session Cookies – A tiny
.envsetting can be the difference between safe cookies and easy-to-steal cookies. It’s a quick fix that you’ll thank yourself for later. - HSTS Encryption – Man-in-the-middle attacks? Nope, no thank you. Setting up HSTS means your users will always be on HTTPS, making these attacks a whole lot harder.
- Blade Syntax Gotchas – If you’re mixing up
{!! !!}and{{ }}, you’re risking XSS vulnerabilities. Small syntax mistake, big consequences. - Markdown Risks – Rendering Markdown without the right options can open doors you didn’t realize. A couple of config tweaks make it way safer.
- Trusting Third-Party Code – CDNs are awesome, but adding integrity hashes keeps them secure. Don’t just copy the link and move on — check those hashes!
It might all sound obvious, but missing even one of these steps could leave your app exposed. Want the full lowdown? Read here: https://laraveleco.com/how-to-keep-your-laravel-application-hacker-free/
Top comments (0)