Laravel Security Features

Laravel Security Features

A brief about the in-built features that makes a Laravel application secure.

Laravel is a popular web framework that is known for its security features. Some of the best security features of Laravel include:

  1. Encryption: Laravel provides a built-in encryption mechanism that allows you to encrypt and decrypt data. This can be useful for storing sensitive information, such as passwords or payment details, securely.

  2. Password hashing: Laravel uses the Bcrypt hashing algorithm to securely store user passwords. This means that even if an attacker gains access to the database, they will not be able to recover the original password.

  3. CSRF protection: Laravel automatically generates CSRF (cross-site request forgery) tokens for each active user session. These tokens are checked on each request to verify that the request is coming from an authenticated user.

  4. Input sanitization: Laravel provides built-in sanitization methods that allow you to remove potentially harmful characters from user input. This can help prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS).

  5. Authorization: Laravel includes a powerful authorization system that allows you to control access to resources based on user roles and permissions. This can help prevent unauthorized access to sensitive data or functionality.

[This first paragraph was generated by ChatGPT]

Differences between Encryption and Hashing

Encryption is a two-way street. What you encrypt can be decrypted with access to the right key. However, hashing is one-way. You cannot (realistically) un-hash what has been hashed.

So, how is Encryption useful in Laravel? Let's look at some code.

Say you have some data you want to pass from one end to another, but this data will go through a public domain. You might want to consider encrypting such data depending on the level of sensitivity.

An example.

I want a user who is not signed into my app to click on a link that enables them to reset their password. And I also want the link to contain a URL query parameter that I can use to identify such a user.

I can have a link like this,

So when a user clicks on that link it would launch a page where they can input a new password, and the change would take effect for the email in the query param.

This will work, however, a serious security risk is exposed here. Any smart user can immediately know that they can gain access to another person's account by changing the email parameter, and set a new password.

A way to improve this would be to encrypt the query parameter. Laravel provides inbuilt methods to do this. Such as,

encrypt('')  // Encrypt the data

decrypt('eyJpdiI6Ik5PaFdYVC9WNk55SWU4ZjJ1cDR0N1E9PSIsInZhbHVlIjoicjFXTExvdjBRME9TRjJoTmpEdjA0UT09IiwibWFjIjoiOWNiOWQ3MTI1MWE4MmQxYjIyOTE2MDE5YzNjNjQwMTFiODFjN2RiZWM0NmZmMzQ5ZDAyYWE3Mjg4MzNhNDUyZSIsInRhZyI6IiJ9') // Decrypt the text to get back the data

Or you could call the Crypt class static methods.

Crypt::encrypt('')  // Encrypt the data
Crypt::decrypt('eyJpdiI6Ik5PaFdYVC9WNk55SWU4ZjJ1cDR0N1E9PSIsInZhbHVlIjoicjFXTExvdjBRME9TRjJoTmpEdjA0UT09IiwibWFjIjoiOWNiOWQ3MTI1MWE4MmQxYjIyOTE2MDE5YzNjNjQwMTFiODFjN2RiZWM0NmZmMzQ5ZDAyYWE3Mjg4MzNhNDUyZSIsInRhZyI6IiJ9') // Decrypt the text to get back the data

This uses your application's APP_KEY to perform the encryption and decryption, hence you must make sure to keep the key private and backed up. If it changes, the previously encrypted data would be impossible to decrypt.

It is also worth mentioning that this method uses PHP open_ssl_encrypt and open_ssl_decrypt methods, so if don't want to use the methods provided by Laravel, you can opt for the native PHP methods, however, you'd quickly find that the DX (developer experience) of Laravel's methods is much better.

Next, a quick look at Hashing.

One of the most common places where you find this in use is signup/login methods.

It is more secure to store passwords as Hash. Instead of pure text. So when the user logs in you compare the inputted password hash and the existing hash of the password in the database.
And Laravel uses bcyrpt for hashing.

$inputtedPassword = bcrypt('inputted_password')
$passwordFromDb = '$2y$10$XsXxhEd.c2P8.QI28IEB1OFnJIWc3NFn9zojBewzDAY.zNuEckJjy'

if ($inputtedPassword === $passwordFromDb) {
    // Login user
} else {
    // Throw Error

Overall, Laravel provides many security features that can help protect your application from common vulnerabilities and keep your data safe.