Let's make our project safer by following some notes that I would like to share with you
- Blade XSS Attack
We use this https://laravel.com/docs/8.x/blade#displaying unescaped We in order to avoid putting the code in place, like putting a script in place
Escaped text : {{ $text }} // with HTML tag
non escaped text : {!! $text !!}
- Protect Your .env File
Do not make the env file public because it contains many passwords for databases and other services
You also learn how to use the .env example and the difference between them
https://blog.quickadminpanel.com/how to use laravel env example files/
https://www.youtube.com/watch?v=MeVXMKnRZuM
- Don't Use $request all()
The danger of using $request all() is that your fields are not filtered so it is possible that some people go to the browser console and change
https://www.youtube.com/watch?v=QQS5oEOguRU
you can use this
$request >validated()
$request >only()
$request >except()
- File Upload: Client Data
keep in mind that the getClientOriginalName and getClientOriginalExtension methods are considered unsafe, as the file name and extension may be tampered with by a malicious user. For this reason, you should typically prefer the hashName and extension methods to get a name and an extension for the given file upload https://laravel.com/docs/8.x/filesystem#other uploaded file information
$file = $request >file('avatar');
$name = $file >hashName(); // Generate a unique, random name...
$extension = $file >extension(); // Determine the file's extension based on the file's MIME type...
- APP_DEBUG=true in Production
The debug option in your config/app.php configuration file determines how much information about an error is actually displayed to the user. By default, this option is set to respect the value of the APP_DEBUG environment variable, which is stored in your .env file.
For local development, you should set the APP_DEBUG environment variable to true. In your production environment, this value should always be false. If the variable is set to true in production, you risk exposing sensitive configuration values to your application's end users.
https://laravel.com/docs/8.x/configuration#debug mode
- CSRF and Route::get()
Anytime you define a "POST", "PUT", "PATCH", or "DELETE" HTML form in your application, you should include a hidden CSRF _token field in the form so that the CSRF protection middleware can validate the request. For convenience, you may use the @csrf Blade directive to generate the hidden token input field
<form method="POST" action="/profile">
@csrf
</form>
Do not use requests Route::get() to obtain anything that will make changes to the data
https://laravel.com/docs/8.x/csrf
- Rate Limiting
This is to prevent too many requests to your server
https://laravel.com/docs/8.x/routing#rate limiting
- Protect Records from Access By Other Users
1 Put if in the edit function to make sure the user is making the edit
public function edit(Task $task)
{
if($task >created_by_id != auth() >id()){
abort(403);
}
// edit
}
2 Policies
https://laravel.com/docs/8.x/authorization#creating policies
We create policies
php artisan make:policy TaskPolicy model=Task
in policies Make sure of the task
public function view(User $user, Task $task)
{
return $task >created_by_id == $user >id
}
Put authorize in the edit function to make sure the user is making the edit
public function edit(Task $task)
{
$this >authorize('view', $task);
// edit
}
3 Use Laravel Roles and Permissions
https://www.youtube.com/watch?v=kZOgH3 0Bko
- Protect SQL Injection Laravel DB Raw Queries
Don't put the variables sign ($) in the query instead put the question mark and then provide all the values as an array
>selectRaw('price * ? as price_with_tax', [1.0825])
Here are some sources if you want to dig deeper
https://laravel.com/docs/8.x/queries#raw expressions
https://developer.okta.com/blog/2020/06/15/sql injection in php
https://en.wikipedia.org/wiki/SQL_injection
- Protect from XSS Attack (WYSIWYG Text Editors)
At first, listen to the fewest features in the editor, especially by modifying the html source.
Install @ckeditor/ckeditor5 markdown gfm an extension as in this editor to avoid working with html
https://ckeditor.com/docs/ckeditor5/latest/features/markdown.html
Finally, if you want to deal with html for any reason, there is a package https://github.com/mewebstudio/Purifier to remove all malicious code.
- Four "Dangerous" Laravel Features (Use With Caution)
1 Global Scopes
Beware of using this feature https://laravel.com/docs/8.x/eloquent#global scopes because it is possible in the future that a new developer will join your project and see that you are only a user, for example User::all() and he does not know that there is a hidden global scope that filters some data and here comes the best to use it by the user who is logged in >where('user_id', auth() >id())
2 Eager Loading By Default
Beware of using this feature https://laravel.com/docs/8.x/eloquent relationships#eager loading by default
to think about the future developers of your project that with each query it will load the authors even though they probably don't need to.
3 Global Middleware
Beware of using this feature https://laravel.com/docs/9.x/middleware#global middleware because in the future it may be in some applications that do not need this middleware and the developer does not know that it is being used
4 Overriding Framework Defaults
Beware of using this feature. Think of developers who will join in the future in your project that there is a function called delete that contains some instructions including deleting in a different table and also instructions that have nothing to do with the name of the function so if you override a well known feature, function or property in the laravel framework This may be bad for future developers
- NOT Use env() in Laravel Controllers Use config() https://www.youtube.com/watch?v=AWTUpT7krAs
https://www.youtube.com/watch?v=m4CcU6GK6I8
https://www.youtube.com/watch?v=dWVTfY6cMBs
https://www.youtube.com/watch?v=lq57_NMoL6A
https://www.youtube.com/watch?v=WXUgf7DCHvg
New Sources :
https://www.youtube.com/watch?v=JLZjnHB7N_E
https://adevait.com/laravel/security in laravel
I hope you enjoyed the code as well as I enjoy knowing any information and then sharing it with you.
