Laravel Security Same Tips

#php #laravel #programming #beginners

Let's make our project safer by following some notes that I would like to share with you

Blade XSS Attack

We use this https://laravel.com/docs/8.x/blade#displaying-unescaped-We in order to avoid putting the code in place, like putting a script in place

Escaped text : {{ $text }} // with HTML tag
non-escaped text : {!! $text !!}

Protect Your .env File

Do not make the env file public because it contains many passwords for databases and other services
You also learn how to use the .env example and the difference between them
https://blog.quickadminpanel.com/how-to-use-laravel-env-example-files/
https://www.youtube.com/watch?v=MeVXMKnRZuM

Don't Use $request-all()

The danger of using $request-all() is that your fields are not filtered so it is possible that some people go to the browser console and change
https://www.youtube.com/watch?v=QQS5oEOguRU
you can use this

$request->validated()
$request->only()
$request->except()

File Upload: Client Data

keep in mind that the getClientOriginalName and getClientOriginalExtension methods are considered unsafe, as the file name and extension may be tampered with by a malicious user. For this reason, you should typically prefer the hashName and extension methods to get a name and an extension for the given file upload https://laravel.com/docs/8.x/filesystem#other-uploaded-file-information

$file = $request->file('avatar');

$name = $file->hashName(); // Generate a unique, random name...
$extension = $file->extension(); // Determine the file's extension based on the file's MIME type...

APP_DEBUG=true in Production

The debug option in your config/app.php configuration file determines how much information about an error is actually displayed to the user. By default, this option is set to respect the value of the APP_DEBUG environment variable, which is stored in your .env file.

For local development, you should set the APP_DEBUG environment variable to true. In your production environment, this value should always be false. If the variable is set to true in production, you risk exposing sensitive configuration values to your application's end users.
https://laravel.com/docs/8.x/configuration#debug-mode

CSRF and Route::get()

Anytime you define a "POST", "PUT", "PATCH", or "DELETE" HTML form in your application, you should include a hidden CSRF _token field in the form so that the CSRF protection middleware can validate the request. For convenience, you may use the @csrf Blade directive to generate the hidden token input field

<form method="POST" action="/profile">
    @csrf

</form>

Do not use requests Route::get() to obtain anything that will make changes to the data
https://laravel.com/docs/8.x/csrf

Rate Limiting

This is to prevent too many requests to your server
https://laravel.com/docs/8.x/routing#rate-limiting

Protect Records from Access By Other Users

1- Put if in the edit function to make sure the user is making the edit

public function edit(Task $task)
{
   if($task->created_by_id != auth()->id()){
      abort(403);
   }
   // edit
}

2- Policies
https://laravel.com/docs/8.x/authorization#creating-policies
We create policies

php artisan make:policy TaskPolicy --model=Task

in policies Make sure of the task

public function view(User $user, Task $task)
{
   return $task->created_by_id == $user->id
}

Put authorize in the edit function to make sure the user is making the edit

public function edit(Task $task)
{
   $this->authorize('view', $task);

   // edit
}

3- Use Laravel Roles and Permissions
https://www.youtube.com/watch?v=kZOgH3-0Bko

Protect SQL Injection - Laravel DB Raw Queries

Don't put the variables sign ($) in the query instead put the question mark and then provide all the values as an array

->selectRaw('price * ? as price_with_tax', [1.0825])

Here are some sources if you want to dig deeper
https://laravel.com/docs/8.x/queries#raw-expressions
https://developer.okta.com/blog/2020/06/15/sql-injection-in-php
https://en.wikipedia.org/wiki/SQL_injection

Protect from XSS Attack (WYSIWYG Text Editors)

At first, listen to the fewest features in the editor, especially by modifying the html source.
Install @ckeditor/ckeditor5-markdown-gfm an extension as in this editor to avoid working with html
https://ckeditor.com/docs/ckeditor5/latest/features/markdown.html
Finally, if you want to deal with html for any reason, there is a package https://github.com/mewebstudio/Purifier to remove all malicious code.

Four "Dangerous" Laravel Features (Use With Caution)

1- Global Scopes
Beware of using this feature https://laravel.com/docs/8.x/eloquent#global-scopes because it is possible in the future that a new developer will join your project and see that you are only a user, for example User::all() and he does not know that there is a hidden global scope that filters some data and here comes the best to use it by the user who is logged in ->where('user_id', auth()->id())

2- Eager Loading By Default
Beware of using this feature https://laravel.com/docs/8.x/eloquent-relationships#eager-loading-by-default
to think about the future developers of your project that with each query it will load the authors even though they probably don't need to.

3- Global Middleware
Beware of using this feature https://laravel.com/docs/9.x/middleware#global-middleware because in the future it may be in some applications that do not need this middleware and the developer does not know that it is being used

4- Overriding Framework Defaults
Beware of using this feature. Think of developers who will join in the future in your project that there is a function called delete that contains some instructions including deleting in a different table and also instructions that have nothing to do with the name of the function so if you override a well-known feature, function or property in the laravel framework This may be bad for future developers