Web application security in Laravel: from OWASP to production operations

Why most web applications ship with known vulnerabilities

A fresh Laravel installation handles a surprising amount of security out of the box. CSRF tokens on every form. Bcrypt password hashing. Parameterised queries through Eloquent. Blade template escaping. These defaults cover the basics, and many developers stop there.

The problem is that defaults protect against the common case, not your specific case. A raw database query bypasses Eloquent's parameterisation. An {!! $html !!} directive in Blade disables escaping. A misconfigured CORS policy opens the API to cross-origin abuse. Every Laravel project we audit has at least one place where a developer stepped outside the framework's safety rails without adding compensating controls.

How Laravel handles the OWASP Top 10

The OWASP Top 10 catalogues the most critical web application security risks. Laravel addresses most of them through framework conventions, but each requires deliberate application.

Authentication and authorisation patterns that survive production

Authentication is identity: proving who someone is. Authorisation is permission: controlling what they can do. Conflating the two is the most common architectural mistake we fix in inherited codebases.

Authentication

Laravel ships with Sanctum for SPA and mobile token authentication, and supports Passport for full OAuth2 flows. For most business applications, Sanctum with session-based authentication is sufficient and simpler to reason about.

Password policy matters more than password complexity. We enforce minimum length (12 characters), check against the HaveIBeenPwned breached password database using Laravel's Password::uncompromised() rule, and implement progressive delays after failed login attempts. TOTP-based multi-factor authentication (using packages like pragmarx/google2fa-laravel) is standard on any application handling financial or personal data.

Authorisation

Laravel's Gate and Policy system is well designed but under-used. We define policies for every Eloquent model and register them in AuthServiceProvider. The critical pattern: always authorise at both the route level (middleware) and the query level (scoped queries). Route-level authorisation prevents access to endpoints. Query-level authorisation prevents data leakage through parameter manipulation.

Defending against injection, XSS, and CSRF in practice

These three attack vectors account for the majority of web application vulnerabilities. Laravel provides strong defaults for each, but defaults only work when developers stay within the framework's conventions.

Security headers

We configure security headers at the web server level to provide client-side defence in depth. Every application we deploy scores A+ or higher on the Mozilla Observatory.

• Strict-Transport-Security: max-age=31536000; includeSubDomains; preload enforces HTTPS
• Content-Security-Policy restricts script, style, and connection sources
• X-Content-Type-Options: nosniff prevents MIME-type sniffing
• X-Frame-Options: DENY blocks clickjacking
• Referrer-Policy: strict-origin-when-cross-origin limits referrer leakage
• Permissions-Policy disables unused browser features (camera, microphone, geolocation)

Secrets, dependencies, and the software supply chain

Environment variables are Laravel's primary secrets mechanism through .env files. The rules are non-negotiable: .env is in .gitignore, never committed to version control. Production secrets are injected through the hosting environment or a secrets manager (AWS Secrets Manager, HashiCorp Vault), never baked into container images or deployment artefacts.

Dependency security is a supply chain problem. A Laravel application with 80 Composer packages and 200 npm packages has a large attack surface that is mostly invisible. We manage this through automated scanning in CI, Dependabot or Renovate for update pull requests, lock file integrity verification, weekly security advisory reviews, and version pinning for production deployments. The Log4Shell vulnerability in 2021 demonstrated that a single transitive dependency can compromise an entire fleet.

Deployment pipelines and zero-downtime releases

Security and operations converge at the deployment pipeline. A manual deployment process, where someone SSHes into a server and runs git pull, is both a security risk and an operational liability. Every manual step is an opportunity for inconsistency, and every SSH session is an attack surface.

Our standard deployment pipeline uses GitHub Actions or GitLab CI with four stages.

Zero-downtime deployment means the application serves requests continuously during release. The old version handles requests until the new version is fully ready, then a symlink swap makes the transition atomic. If the new version fails health checks, the symlink reverts. No maintenance windows, no "please try again in five minutes."

Infrastructure is defined as code (Terraform, Ansible) and version-controlled alongside the application. Server configuration changes go through the same review process as application code. This eliminates configuration drift, where production slowly diverges from what anyone thinks it looks like, and provides a complete audit trail of every infrastructure change.

SSH access to production servers is restricted to key-based authentication only, limited to a small set of IP addresses, and logged. For most operational tasks (restarting queues, clearing caches, running migrations), we use the CI pipeline rather than direct server access. The goal is that nobody needs to SSH into production during normal operations.

Monitoring, backups, and disaster recovery

Security does not end at deployment. An application without monitoring is an application where breaches go undetected.

Backups

Backups follow the 3-2-1 rule: three copies, two different storage types, one offsite. Database backups run hourly with 48-hour retention for hourly snapshots, daily for 30 days, weekly for 12 months. File storage (uploads, generated documents) replicates to a separate region.

The critical discipline is testing restores. We run a full database restore to a staging environment monthly. A backup that has never been restored is not a backup; it is a hope.

Disaster recovery

Recovery requires defined objectives. Recovery Time Objective (RTO) is how quickly the system must be back online. Recovery Point Objective (RPO) is how much data loss is acceptable. For most business applications we build, the targets are RTO under four hours and RPO under one hour. Infrastructure-as-code makes recovery reproducible: spin up new infrastructure, restore the latest backup, update DNS. We document the procedure, and we practice it.

What this looks like in practice

Web application security is not a feature you add before launch. It is an operational discipline that runs from the first line of code through every deployment and into ongoing maintenance.

The applications we build for clients at IGC carry these patterns from day one. Not because we follow a checklist, but because after two decades and 50+ Laravel applications, these are the habits that prevent 3am phone calls.

• ✓
  Preventive investment over reactive cost The cost of getting security right is a fraction of the cost of getting it wrong. A breached application means regulatory notification, customer trust damage, and weeks of forensic investigation.
• ✓
  GDPR compliance built in GDPR requires reporting breaches within 72 hours. The preventive investment is measured in hours of configuration. The reactive cost is measured in months and reputation.
• ✓
  Tested backups with verified restoration Not "we think we can restore" but "we did restore on this date and it took 47 minutes."
• ✓
  Proactive monitoring with actionable alerts Problems detected before users report them. Alerts that require response, not dismissal.