From SQL injection to CSRF, XSS to mass assignment—this security checklist covers every vulnerability Laravel developers must guard against, with code examples and configuration tips.

Security Is Not Optional

A single security breach can destroy customer trust, trigger regulatory fines, and cost millions in remediation. Laravel provides excellent security defaults, but defaults only protect you if you understand them and extend them where needed. This checklist covers every vulnerability category that Laravel developers must address.

SQL Injection Prevention

Eloquent and the Query Builder use parameter binding automatically. Never concatenate user input into raw queries. When you must use DB::raw(), bind parameters explicitly: DB::select('SELECT * FROM users WHERE email = ?', [$email]). This applies to whereRaw(), orderByRaw(), and any method that accepts raw SQL. A single unparameterized query can expose your entire database.

Cross-Site Scripting (XSS)

Blade's {{ }} syntax auto-escapes output. Use {!! !!} only when rendering trusted HTML like content from a rich text editor with server-side sanitization. Never render user input with {!! !!} without sanitizing first. Use a library like HTMLPurifier to strip malicious tags and attributes from user-submitted HTML.

Cross-Site Request Forgery (CSRF)

Laravel includes CSRF protection middleware by default. Every form must include @csrf. For SPA APIs, use Sanctum's cookie-based authentication which handles CSRF automatically via the XSRF-TOKEN cookie. Never disable CSRF protection to "fix" form submission issues—the real fix is including the token.

Mass Assignment Protection

Define $fillable on every model to whitelist assignable attributes. Never use $guarded = [] in production. A single unguarded model can let attackers set is_admin = true through a crafted request. Review your models regularly to ensure new columns are either in $fillable or explicitly excluded.

Authentication Best Practices

Enforce strong passwords with Laravel's password validation rules. Implement rate limiting on login endpoints: RateLimiter::for('login', ...). Enable two-factor authentication for admin accounts. Hash passwords with bcrypt, which is Laravel's default—never store plaintext passwords or use weak hashing algorithms.

Headers and Configuration

Set APP_DEBUG=false in production—debug mode leaks environment variables and stack traces. Configure security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security. Use HTTPS everywhere. Force HTTPS in production by setting FORCE_HTTPS=true or configuring your reverse proxy.

Dependency Auditing

Run composer audit and npm audit regularly to detect known vulnerabilities in dependencies. Pin dependency versions in production. Review third-party packages before installing—check maintenance status, download counts, and open issues. A single compromised package can expose your entire application.

Conclusion

Laravel gives you strong security defaults. Your job is to not weaken them and to add protection where the framework cannot. Review this checklist before every production deployment. Security is not a feature you build once—it is a practice you maintain continuously.