You've built your Laravel app. Features are done. Tests are passing.
It’s time to hit Deploy.
But before you ship to production, take a deep breath—and make sure you’ve locked the doors.
Because once your app is live, it becomes a public target.
And trust me—bots, scrapers, and hackers are already waiting.
Here’s a practical, battle-tested Laravel security checklist to review before you deploy.
🔒 1. Turn Off Debug Mode
The #1 Laravel mistake in production.
Check your .env:
APP_ENV=production
APP_DEBUG=false
When APP_DEBUG=true, Laravel will expose:
- Stack traces
- File paths
- Environment variables
- Even API keys
✅ Must-do:
- Triple-check
APP_DEBUGbefore every deployment - Automate this check in CI/CD
🔐 2. Set File & Directory Permissions Correctly
Don’t chmod everything to 777 and walk away.
✅ Recommended:
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R 755 storage
sudo chmod -R 755 bootstrap/cache
Make sure:
-
.envisn’t publicly accessible -
storage/andbootstrap/cache/are writable (but not executable) - Your app can't write to random directories
🧾 3. Sanitize & Validate Every Input
Even if it “worked fine in dev”, dirty inputs cause:
- XSS
- SQL injection
- Broken logic
Use Form Request classes:
public function rules()
{
return [
'name' => 'required|string|max:255',
'email' => 'required|email',
];
}
For user-generated content, sanitize HTML using:
mewebstudio/purifier- Or allow only plaintext
🚧 4. Restrict Access to Debug Tools
Telescope, Horizon, Nova—amazing tools, but dangerous if public.
Protect them:
Gate::define('viewTelescope', fn ($user) => $user->isAdmin());
Or better:
- Hide in production using
APP_ENV - Restrict by IP or auth middleware
🔑 5. Secure Your .env & Secrets
Never commit .env to Git.
Never leave API keys in config files.
Use:
-
.gitignorefor.env - Environment-specific secrets via CI/CD
- Secret managers like AWS SSM, Laravel Vault, or 1Password
📁 6. Harden File Uploads
Don’t:
- Allow public access to
/uploads - Trust extensions or filenames
- Accept arbitrary files
Do:
- Validate MIME type + file extension
- Store files in
storage/app(notpublic/) - Rename uploads with
Str::uuid() - Disable PHP execution in upload paths
🔗 7. Force HTTPS & Add Security Headers
HTTPS isn’t optional anymore.
In your middleware:
\Illuminate\Routing\Middleware\RequireHttps::class
Or in AppServiceProvider:
URL::forceScheme('https');
Set headers:
Strict-Transport-SecurityContent-Security-PolicyReferrer-PolicyX-Frame-Options
Use packages like spatie/laravel-csp or write your own middleware.
🔒 8. Protect Your Routes & APIs
Don’t leave sensitive routes unguarded.
- Use
auth,throttle, andverifiedmiddleware - Restrict admin APIs with role checks
- Use policies or gates for critical actions
Example:
$this->authorize('delete', $post);
📊 9. Configure Logging Safely
Don’t log sensitive data:
- Passwords
- Tokens
- Full request bodies
In config/logging.php:
- Use
dailylogs - Limit retention
- Store logs outside public folders
Consider redacting inputs in App\Exceptions\Handler.
📤 10. Secure Queue Workers & Schedulers
Queues and scheduled commands run in the background—but they still need protection.
Tips:
- Validate all job data, even if already validated earlier
- Limit which users can trigger queued jobs
- Monitor for failed jobs or abuse
- Use
php artisan queue:monitoror Laravel Pulse
📈 Bonus: Enable Monitoring & Alerts
You can’t stop every attack—but you can detect early signs.
Tools to consider:
- Laravel Pulse (for built-in monitoring)
- Telescope (for request & exception auditing)
- Sentry, Bugsnag, or Rollbar (for alerts)
- Slack or Email notifications on unusual activity
📘 Want a Deeper Dive?
This checklist is just the surface.
In my eBook Bulletproof Laravel: Write Code That Hackers Hate, I walk through:
✅ Secure authentication, 2FA, email verification
✅ File uploads, XSS, CSRF, SQLi
✅ API & mobile security
✅ Queues, scheduled tasks, and production hardening
✅ Case studies from real-world attacks
👉 Get it here: https://www.amazon.com/dp/B0FFNT7BMQ
Start deploying with confidence—not with crossed fingers.
🧠 Final Tip
Laravel gives you the tools.
Security comes down to how you use them.
So next time you go to deploy your Laravel app—
use this checklist, and ship it like a pro.
Top comments (1)
I always do this, bro