Laravel安全最佳实践指南 | 防范CSRF、SQL注入、XSS攻击

laravel-security by affaan-m/everything-claude-code

695 周安装量

116,600 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/affaan-m/everything-claude-code --skill laravel-security

PHP 框架 Laravel 安全

🇨🇳中文介绍

Laravel 安全最佳实践

为 Laravel 应用程序提供全面的安全指导，以防范常见漏洞。

何时启用

添加身份验证或授权功能时
处理用户输入和文件上传时
构建新的 API 端点时
管理密钥和环境设置时
强化生产环境部署时

工作原理

中间件提供基础防护（通过 VerifyCsrfToken 防范 CSRF，通过 SecurityHeaders 设置安全头）。
守卫和策略强制执行访问控制（auth:sanctum、$this->authorize、策略中间件）。
表单请求在数据到达服务层之前进行验证和整形（例如 UploadInvoiceRequest）。
速率限制在身份验证控制之外增加了滥用防护（RateLimiter::for('login')）。
数据安全通过加密转换、批量赋值防护和签名路由（URL::temporarySignedRoute + 中间件）来实现。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

会话和 Cookie 强化

设置 SESSION_HTTP_ONLY=true 以防止 JavaScript 访问
对高风险流程使用 SESSION_SAME_SITE=strict
在登录和权限变更时重新生成会话

身份验证与令牌

使用 Laravel Sanctum 或 Passport 进行 API 身份验证
对于敏感数据，优先使用带有刷新流程的短期令牌
在用户注销或账户泄露时撤销令牌

路由保护示例：

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->get('/me', function (Request $request) {
    return $request->user();
});

使用 Hash::make() 哈希密码，切勿存储明文
使用 Laravel 的密码代理进行密码重置流程

use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\Rules\Password;

$validated = $request->validate([
    'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()],
]);

$user->update(['password' => Hash::make($validated['password'])]);

授权：策略与门面

使用策略进行模型级别的授权
在控制器和服务中强制执行授权

$this->authorize('update', $project);

在路由级别使用策略中间件进行强制执行：

use Illuminate\Support\Facades\Route;

Route::put('/projects/{project}', [ProjectController::class, 'update'])
    ->middleware(['auth:sanctum', 'can:update,project']);

验证与数据清理

始终使用表单请求验证输入
使用严格的验证规则和类型检查
切勿信任请求负载中的派生字段

使用 $fillable 或 $guarded，避免使用 Model::unguard()
优先使用 DTO 或显式的属性映射

使用 Eloquent 或查询构建器的参数绑定
除非绝对必要，否则避免使用原生 SQL

DB::select('select * from users where email = ?', [$email]);

Blade 默认转义输出（{{ }}）
仅对受信任且已清理的 HTML 使用 {!! !!}
使用专用库清理富文本

保持 VerifyCsrfToken 中间件启用
在表单中包含 @csrf，并为 SPA 请求发送 XSRF 令牌

对于使用 Sanctum 的 SPA 身份验证，确保配置了有状态请求：

// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),

验证文件大小、MIME 类型和扩展名
尽可能将上传文件存储在公共路径之外
如有需要，扫描文件中的恶意软件

final class UploadInvoiceRequest extends FormRequest
{
    public function authorize(): bool
    {
        return (bool) $this->user()?->can('upload-invoice');
    }

    public function rules(): array
    {
        return [
            'invoice' => ['required', 'file', 'mimes:pdf', 'max:5120'],
        ];
    }
}

$path = $request->file('invoice')->store(
    'invoices',
    config('filesystems.private_disk', 'local') // 将其设置为非公共磁盘
);

在身份验证和写入端点应用 throttle 中间件
对登录、密码重置和 OTP 使用更严格的限制

use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('login', function (Request $request) {
    return [
        Limit::perMinute(5)->by($request->ip()),
        Limit::perMinute(5)->by(strtolower((string) $request->input('email'))),
    ];
});

切勿将密钥提交到源代码管理
使用环境变量和密钥管理器
密钥泄露后及时轮换，并使会话失效

对静态存储的敏感列使用加密转换。

protected $casts = [
    'api_token' => 'encrypted',
];

在适当的地方添加 CSP、HSTS 和框架保护
使用受信任的代理配置来强制执行 HTTPS 重定向

设置安全头的中间件示例：

use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

final class SecurityHeaders
{
    public function handle(Request $request, \Closure $next): Response
    {
        $response = $next($request);

        $response->headers->add([
            'Content-Security-Policy' => "default-src 'self'",
            'Strict-Transport-Security' => 'max-age=31536000', // 仅当所有子域都使用 HTTPS 时才添加 includeSubDomains/preload
            'X-Frame-Options' => 'DENY',
            'X-Content-Type-Options' => 'nosniff',
            'Referrer-Policy' => 'no-referrer',
        ]);

        return $response;
    }
}

在 config/cors.php 中限制来源
避免对已认证的路由使用通配符来源

// config/cors.php
return [
    'paths' => ['api/*', 'sanctum/csrf-cookie'],
    'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
    'allowed_origins' => ['https://app.example.com'],
    'allowed_headers' => [
        'Content-Type',
        'Authorization',
        'X-Requested-With',
        'X-XSRF-TOKEN',
        'X-CSRF-TOKEN',
    ],
    'supports_credentials' => true,
];

切勿记录密码、令牌或完整的卡片数据
在结构化日志中编辑敏感字段

use Illuminate\Support\Facades\Log;

Log::info('User updated profile', [
    'user_id' => $user->id,
    'email' => '[REDACTED]',
    'token' => '[REDACTED]',
]);

定期运行 composer audit
谨慎固定依赖项版本，并在出现 CVE 时及时更新

使用签名路由生成临时的、防篡改的链接。

use Illuminate\Support\Facades\URL;

$url = URL::temporarySignedRoute(
    'downloads.invoice',
    now()->addMinutes(15),
    ['invoice' => $invoice->id]
);

use Illuminate\Support\Facades\Route;

Route::get('/invoices/{invoice}/download', [InvoiceController::class, 'download'])
    ->name('downloads.invoice')
    ->middleware('signed');

🇺🇸English

Laravel Security Best Practices

Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.

When to Activate

Adding authentication or authorization
Handling user input and file uploads
Building new API endpoints
Managing secrets and environment settings
Hardening production deployments

How It Works

Middleware provides baseline protections (CSRF via VerifyCsrfToken, security headers via SecurityHeaders).
Guards and policies enforce access control (auth:sanctum, $this->authorize, policy middleware).
Form Requests validate and shape input (UploadInvoiceRequest) before it reaches services.
Rate limiting adds abuse protection (RateLimiter::for('login')) alongside auth controls.
Data safety comes from encrypted casts, mass-assignment guards, and signed routes (URL::temporarySignedRoute + signed middleware).

Core Security Settings

APP_DEBUG=false in production
APP_KEY must be set and rotated on compromise
Set SESSION_SECURE_COOKIE=true and SESSION_SAME_SITE=lax (or strict for sensitive apps)
Configure trusted proxies for correct HTTPS detection

Session and Cookie Hardening

Set SESSION_HTTP_ONLY=true to prevent JavaScript access
Use SESSION_SAME_SITE=strict for high-risk flows
Regenerate sessions on login and privilege changes

Authentication and Tokens

Use Laravel Sanctum or Passport for API auth
Prefer short-lived tokens with refresh flows for sensitive data
Revoke tokens on logout and compromised accounts

Example route protection:

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->get('/me', function (Request $request) {
    return $request->user();
});

Password Security

Hash passwords with Hash::make() and never store plaintext
Use Laravel's password broker for reset flows

use Illuminate\Support\Facades\Hash; use Illuminate\Validation\Rules\Password;

$validated = $request->validate([ 'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()], ]);

$user->update(['password' => Hash::make($validated['password'])]);

Authorization: Policies and Gates

Use policies for model-level authorization
Enforce authorization in controllers and services

$this->authorize('update', $project);

Use policy middleware for route-level enforcement:

use Illuminate\Support\Facades\Route;

Route::put('/projects/{project}', [ProjectController::class, 'update'])
    ->middleware(['auth:sanctum', 'can:update,project']);

Validation and Data Sanitization

Always validate inputs with Form Requests
Use strict validation rules and type checks
Never trust request payloads for derived fields

Mass Assignment Protection

Use $fillable or $guarded and avoid Model::unguard()
Prefer DTOs or explicit attribute mapping

SQL Injection Prevention

Use Eloquent or query builder parameter binding
Avoid raw SQL unless strictly necessary

DB::select('select * from users where email = ?', [$email]);

XSS Prevention

Blade escapes output by default ({{ }})
Use {!! !!} only for trusted, sanitized HTML
Sanitize rich text with a dedicated library

CSRF Protection

Keep VerifyCsrfToken middleware enabled
Include @csrf in forms and send XSRF tokens for SPA requests

For SPA authentication with Sanctum, ensure stateful requests are configured:

// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),

File Upload Safety

Validate file size, MIME type, and extension
Store uploads outside the public path when possible
Scan files for malware if required

final class UploadInvoiceRequest extends FormRequest { public function authorize(): bool { return (bool) $this->user()?->can('upload-invoice'); }
```
public function rules(): array
{
    return [
        'invoice' => ['required', 'file', 'mimes:pdf', 'max:5120'],
    ];
}
```
}

$path = $request->file('invoice')->store( 'invoices', config('filesystems.private_disk', 'local') // set this to a non-public disk );

Rate Limiting

Apply throttle middleware on auth and write endpoints
Use stricter limits for login, password reset, and OTP

use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Http\Request; use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('login', function (Request $request) { return [ Limit::perMinute(5)->by($request->ip()), Limit::perMinute(5)->by(strtolower((string) $request->input('email'))), ]; });

Secrets and Credentials

Never commit secrets to source control
Use environment variables and secret managers
Rotate keys after exposure and invalidate sessions

Encrypted Attributes

Use encrypted casts for sensitive columns at rest.

protected $casts = [
    'api_token' => 'encrypted',
];

Security Headers

Add CSP, HSTS, and frame protection where appropriate
Use trusted proxy configuration to enforce HTTPS redirects

Example middleware to set headers:

use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

final class SecurityHeaders
{
    public function handle(Request $request, \Closure $next): Response
    {
        $response = $next($request);

        $response->headers->add([
            'Content-Security-Policy' => "default-src 'self'",
            'Strict-Transport-Security' => 'max-age=31536000', // add includeSubDomains/preload only when all subdomains are HTTPS
            'X-Frame-Options' => 'DENY',
            'X-Content-Type-Options' => 'nosniff',
            'Referrer-Policy' => 'no-referrer',
        ]);

        return $response;
    }
}

CORS and API Exposure

Restrict origins in config/cors.php
Avoid wildcard origins for authenticated routes

// config/cors.php return [ 'paths' => ['api/*', 'sanctum/csrf-cookie'], 'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], 'allowed_origins' => ['https://app.example.com'], 'allowed_headers' => [ 'Content-Type', 'Authorization', 'X-Requested-With', 'X-XSRF-TOKEN', 'X-CSRF-TOKEN', ], 'supports_credentials' => true, ];

Logging and PII

Never log passwords, tokens, or full card data
Redact sensitive fields in structured logs

use Illuminate\Support\Facades\Log;

Log::info('User updated profile', [ 'user_id' => $user->id, 'email' => '[REDACTED]', 'token' => '[REDACTED]', ]);

Dependency Security

Run composer audit regularly
Pin dependencies with care and update promptly on CVEs

Signed URLs

Use signed routes for temporary, tamper-proof links.

use Illuminate\Support\Facades\URL;

$url = URL::temporarySignedRoute(
    'downloads.invoice',
    now()->addMinutes(15),
    ['invoice' => $invoice->id]
);



use Illuminate\Support\Facades\Route;

Route::get('/invoices/{invoice}/download', [InvoiceController::class, 'download'])
    ->name('downloads.invoice')
    ->middleware('signed');

Weekly Installs

356

Repository

affaan-m/everyt…ude-code

GitHub Stars

105.0K

First Seen

9 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

codex341

cursor305

opencode303

amp302

gemini-cli302

github-copilot302

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

24,700 周安装

Laravel安全最佳实践指南 | 防范CSRF、SQL注入、XSS攻击

🇨🇳中文介绍

Laravel 安全最佳实践

何时启用

工作原理

相关 Skills

核心安全设置

会话和 Cookie 强化

身份验证与令牌

密码安全

授权：策略与门面

验证与数据清理

批量赋值防护

SQL 注入防护

XSS 防护

CSRF 防护

文件上传安全

速率限制

密钥与凭据

加密属性

安全头部

CORS 与 API 暴露

日志记录与 PII

依赖项安全

签名 URL