From insecure direct object references to missing rate limiting — a practical security checklist every Laravel developer needs before going to production.
Laravel ships with excellent security defaults. But defaults only protect you from the things the framework anticipates. Here are the ten most common security mistakes we see when auditing Laravel applications — and how to fix them.
Laravel's throttle middleware is easy to add and critical for preventing brute-force attacks. Your login, password reset, and API authentication endpoints should all be rate-limited. A simple throttle:5,1 (5 attempts per minute) on your login route dramatically reduces the risk of credential stuffing attacks.
This is the most common vulnerability we find. An IDOR occurs when a user can access another user's data by modifying an ID in a URL or request. Fix: always authorise before exposing resources. Use Laravel's Policy classes and the authorize() method in every controller action.
If you're using $guarded = [] on your models, you're trusting that your form requests are perfect. They rarely are. Define explicit $fillable arrays on every model, and use Form Request classes to validate input before it ever reaches your model.
These three alone account for the majority of high-severity vulnerabilities we encounter. The full checklist — covering SQL injection prevention, XSS in Blade, CSRF configuration, secure file uploads, and more — is something every team should run through before launch.