About Laravel 5.1 Security

2019-02-14 03:02发布

I'm newbie on developing projects in Laravel 5.1

I want to learn the how can I avoid security risks. What kind of attacks are secured by Laravel? And what kind of attacks Laravel is not secure?

Using middleware is good way to handling authorizations.

And I know Laravel is secured for CSRF attacks.

Is there any thing that should i know ? What about SQL Injection. Is Laravel secure or not?

1条回答
相关推荐>>
2楼-- · 2019-02-14 04:00

The short answer

Laravel 5.1 is well secured what regards to SQL injection, CSRF and XSS per default.

More details

In my opinion, what you should be aware of:

1- It is not only Laravel alone that is responsible for your web application security, but the environment surrounding it.
    - Web server should be configured correctly and secure.
    - It is an advantage to SSL (Certificate) among your domain.
    - Do only use SFTP over SSH for file transfer and do only use SSH for console connection.
    - Use trusted provider and physically secured Server environment.
    - Backup your files and your database regularly and move the data out side your provider server location.
    - Make different username and password for SSH console, database or other services.
    - For SSH access and Database access, do not use admin or root username often, keep it only for emergency use, in stead create a sub admin/root account and use that in stead.

2- Above all of that, when you further develop on your Laravel, you might risk performing bad programming which breaks the default security rules of Laravel.

Conclusion

Therefore, it is suggested not counting on default security. You need to do your own penetration test when your project is done to ensure every thing is working and secured as planned. And follow some of the simple security rules then you would perfectly be on the safe side.

I suggest you to look at this link regarding CSRF and as @ImtiazPabel comments link.

Finally this link is good to check:

EDIT
OP asked in comments:

Can we say Request::get($data) is totaly safe?

Request::get($data) is secured and safe as well.

Note
I and 3 other guys made a primitive project to measure the security level of Laravel 5.1 a few months back and it passed successfully with out any remarkable comments.

查看更多
登录 后发表回答