Saturday, 1 July 2017

Laravel - Security

by Shakuntala Naroda

Laravel - Security


Security is important feature while designing web applications. It assures the users of the website that their data is secured. Laravel provides various mechanisms to secure website. Some of the features are listed below –

1. Passwords − Laravel provides a class called “Hash” class which provides secure Bcrypt hashing. The password can be hashed in the following way.

2.make() function
will take a value as argument and will return the hashed value. The hashed value can be checked using the check() function in the following way.

The above function will return Boolean value. It will return true if password matched or false otherwise.
Laravel - Security The other main security features in Laravel is authenticating user and perform some action. Laravel has made this task easier.

4.CSRF Protection/Cross-site request forgery (XSS) − Cross-site scripting (XSS) attacks happen when attackers are able to place client-side JavaScript code in a page viewed by other users. To avoid this kind of attack, you should never trust any user-submitted data or escape any dangerous characters.Laravel automatically generates a CSRF "token" for each active user session managed by the application. Anytime you define a HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request.

5.Avoiding SQL injection −
SQL injection vulnerability exists when an application inserts arbitrary and unfiltered user input in an SQL query. By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects class behind the scenes. Consider for instance a form field used to supply an e-mail address which might be used for searching a user table.

6.Cookies Secure by default - Laravel makes it very easy to create, read, and expire cookies with its Cookie class. In Laravel all cookies are automatically signed and encrypted. Laravel will automatically discard them. This also means that you will not be able to read them from the client side using JavaScript.

7.Forcing HTTPS when exchanging sensitive data −
HTTPS prevents attackers on the same network to intercept private information such as session variables, and log in as the victim.

Conclusion: Of course, there are plenty of other things you should do to further secure your Laravel application, such as ensuring browser-based error reporting is disabled . However Laravel really does ensure a much more secure application by eliminating these three very common attack vectors.