Skip to main content
LH

OWASP Top 10 for Laravel developers - what to watch for?

Liam Harper Cybersecurity 137 views
I am preparing for a client security audit and want to make sure my Laravel app covers the OWASP Top 10. Laravel handles many things out of the box, but I want to know what commonly gets missed. What I believe Laravel handles by default: - SQL Injection: Eloquent uses prepared statements - CSRF: Built-in CSRF token middleware - XSS: Blade double curly braces auto-escape output What I am less sure about: - Broken Access Control: Are Gates and Policies enough? - Security Misconfiguration: What production settings are often missed? - Server-Side Request Forgery: How to prevent SSRF in apps that fetch external URLs? Has anyone gone through a formal security audit on a Laravel project? What were the most common findings?

2 Replies

Best Answer
EA
Engr Mejba Ahmed 5 days ago
Great questions Liam. I do security audits professionally through xCyberSecurity.io and here are the most common findings in Laravel apps: Broken Access Control is the number one issue. Gates and Policies are excellent but developers often forget to apply them consistently. Every controller method that accesses a resource should check authorization. Use authorize() in controllers or apply middleware. Security Misconfiguration: The most missed items are APP_DEBUG=true in production, default APP_KEY, permissive CORS config, and missing rate limiting on login and API endpoints. SSRF Prevention: If your app fetches external URLs (webhooks, image imports, etc.), validate and whitelist allowed domains. Never let user input directly become a URL that your server fetches. Mass Assignment is another common one. Always define fillable on your models and never use Model::create(request()->all()). I would recommend running PHPStan at level 8 and using tools like OWASP ZAP for automated scanning before any audit.
CM
Carlos Mendez 3 days ago
Adding to the excellent response above: I also recommend the Laravel Security Checklist on GitHub. It covers everything from configuration to deployment. And definitely enable preventLazyLoading() in development because N+1 queries can also be a vector for DoS attacks on endpoints that expose collections.

Post a Reply