laravel application security features omniceps

In this post we are going to see Security features of Laravel 5 and how to improve Laravel Application Security further.

Laravel is a PHP development framework which is quickly gaining a lot of popularity and has an ever growing community. Although Laravel has covered a lot of security features but we must remember that no framework is perfect and all frameworks improve with time.

There are many security features which are already taken care of by Laravel and if any loophole is found it is also fixed by its active development team very quickly. But still there are many ways which you can focus to improve the security of your Laravel application. So lets see today what are the main security features of Laravel and how we can further improve a Laravel Application Security.

Security Features of Laravel 5:

Below are some of the features already implemented which provides a base for Laravel application security.

1. Laravel’s own Authentication system:

Laravel has already done most of the part of user authentication and all the boilerplate code comes ready to use with Laravel. In the deep core Laravel uses “providers” and “guards” to facilitate authentication. With Guards one can control how users will be authenticated for each request made and the providers allow retrieving of users from the database (storage).

As a developer the only part which remains unimplemented is setting up the database, controllers and user related models to complete the authentication. Authentication features can also be increased easily.

2. Protection against SQL injection:

Eloquent ORM in Laravel uses PDO parameter binding in order to fight against SQL injection. This type of binding the parameters ensures that the data passed from users in request variables are directly not utilized in SQL queries. This may result in compromising the query for a hacker and can result in data theft and other serious consequences.

As an example consider that a form requires an email field to be submitted which will then be used to retrieve the user and display the information about that user. But a smart hacker would instead use this opportunity to exploit from SQL injection. Instead of the email address this hacker submits “test@omniceps.com’ or 1=1”. If not treated correctly it will result in a query something like below:

The 1=1 expression attached at the end of this query will always evaluate to true, which means that because of the use of “OR” condition all the records in the users_table will be displayed out.

Although when we use binding with PDO parameters there will be appropriate escaping of the input parameters so that the resulting query will look something like this:

Since no email in the table matches ‘test@omniceps.com or 1=1’, this query will safely return 0 results.

Although Laravel provides raw queries, which some may argue is easier to use instead of learning ORM all the way, but the additional efforts may well be worth it. As it will safeguard you against one of the most common security flaw.

Check our suggested best open source tools. Click Here ->

3. Protection against CSRF (Cross Site Request Forgery):

When an already authenticated user on your web application, visits a website, which has a malicious link which in turn sends a request to your web application’s route, your back-end only knows that its one of a request from an authenticated user. However the attacker in this case will control the data sent along with the request.

Laravel uses CSRF tokens in order to restrict 3rd parties from generating such forged requests. Usually this is done by generating and adding a valid token that should be added in each request whether its coming from a form or whether its an AJAX request. Laravel then compares this token automatically with the value which it has saved additionally to that particular user’s session. In case the token doesn’t match with the one stored that particular request is considered to be invalid, otherwise from CSRF point of view that request is valid.

If you are manually creating forms using standard HTML in blade templates (which is not a recommended choice), then you must pass the CSRF token in the form as per below:

On the other hand if you use the recommended method of generating HTML by LaravelCollective/html then Laravel takes care of CSRF token and adds it automatically for every form.

4. Protection against XSS (Cross Site Scripting):

XSS attacks are something when a user uses input fields to add JavaScript code to your web page. Now whenever new users will open that page this specific JavaScript code will also be executed which may be malicious.

You can take an example of any blogging portals which allows users to post comments. If a malicious user posts below comment:

And you have not done prevention or any kind of escaping on the comments, then this will be inserted as a JavaScript code on your blog page and it will execute every time a user will visit your page. This is generally known as cross site scripting or XSS attacks.

Laravel does automatic escaping while saving content to database and also while printing out content in the HTML. So when a variable is rendered with escape tags the above input will be outputted on HTML as:

Read about the latest release from Laravel. Horizon: a queues management dashboard and tool. Read More ->

How to improve Laravel Application Security:

Although Laravel comes with a lot of security features, which already makes it more secure than many of the PHP frameworks out there. But still you can improve Laravel application security by implementing the following items.

1. Avoid using Raw Queries to prevent SQL injection:

As discussed above, Laravel takes care of SQL injection by using PDO bindings. Which in turn insures that no variable goes in a database query unescaped. But still there are instances where a developer would like to use a raw query instead of generating a query using Laravel’s ORM. But while doing so make sure you use prepared statements. For example check the code below which is prone to SQL injection:

Here the statement 1=1 used in OR condition will result in returning all the rows in the users table. By using prepared statement above code can be changed as:

When Laravel will replace the question marks with query variables, it will automatically escape the input variables. Hence safeguard your application against SQL injections.

2. Force HTTPS if Your Application is Exchanging Sensitive Information:

When you serve your web application on HTTP, every bit of information transferred over the network including passwords is sent as plain text. This information can be intercepted by a malicious hacker compromising your user’s sensitive information. One single way to prevent this from happening is using HTTPS.

All you need to do is get an SSL certificate installed and use one of many Laravel’s helpers to shift between HTTP and HTTPS and also hide certain routes. For example you can define the following filter which in turn will redirect your users to a secured route:

3. Escape Content to Prevent XSS:

To avoid XSS attacks you should be using the double brace syntax in the blade templates: ({{ $variable }})

Only use this {!! $variable !!} syntax when you are sure that the data in the variable is safer to be displayed.

4. Setup Laravel Security Headers:

You can use -> https://github.com/BePsvPT/secure-headers, for adding extra security headers to your Laravel app. This will include all the main headers.

Once done, don’t forget to test your headers in a browser. After that you can test your headers here – https://securityheaders.io/

5. Use Laravel Purifier to enhance your Security:

The double curly braces in Laravel makes sure that no raw HTML is outputted to the client, but what if you do want to output some HTML variable to your client from your database. For this you can use HTML Purifier which is a well maintained tool that will clean up your code and take care of illegal and missing HTML.

To learn more about HTML purifier visit this link -> https://kuztek.com/blog/use-laravel-purifier-security

So this was all about improving Laravel application security.