Securing Your Web Application — Essential Checklist

November 28, 2025 · 9 min read

Introduction

Security is not a feature — it is a continuous practice. Every web application is a target, whether it has 10 users or 10 million. For PHP developers, the good news is that modern frameworks like Laravel bake in robust protection against the most common attack vectors. However, understanding these protections and knowing where the gaps remain is essential. This checklist covers the critical security layers every PHP application needs.

SQL Injection Prevention

SQL injection remains the most prevalent web vulnerability. The golden rule is to never concatenate user input into SQL queries. Laravel's Eloquent ORM uses parameterized binding under the hood, making it safe by default. If you write raw queries, always use the DB::select() method with bound parameters instead of string interpolation.

// Safe — parameterized binding
$users = DB::select('SELECT * FROM users WHERE email = ?', [$email]);

// Unsafe — never do this
$users = DB::select("SELECT * FROM users WHERE email = '$email'");

Cross-Site Scripting (XSS)

XSS occurs when an attacker injects malicious scripts into your pages. Blade, Laravel's templating engine, automatically escapes all output using {{ $var }} with htmlspecialchars(). The {!! $var !!} syntax outputs raw HTML and should only be used with trusted, sanitized content. In addition to Blade escaping, implement a Content Security Policy (CSP) header to restrict which scripts can execute.

// In a middleware
$response->header('Content-Security-Policy',
    "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
);

CSRF Protection

Cross-Site Request Forgery tricks an authenticated user into performing actions they did not intend. Laravel automatically generates and validates a CSRF token for every active user session. Blade provides the @csrf directive that injects a hidden token field. For SPA or API-driven applications, use Laravel Sanctum's token-based authentication which is inherently immune to CSRF.

Rate Limiting

Rate limiting protects your application from brute-force attacks and API abuse. Laravel's built-in throttle middleware lets you define limits per route or per IP address. A common pattern is to limit login attempts to 5 per minute.

// In routes/api.php or routes/web.php
Route::middleware('throttle:5,1')->group(function () {
    Route::post('/login', [AuthController::class, 'login']);
});

Authentication Best Practices

Store passwords using bcrypt — Laravel's Hash::make() uses bcrypt with a configurable cost factor. Enforce strong password policies (minimum 8 characters, mixed case, special characters). Implement two-factor authentication (2FA) for admin panels. Laravel Fortify provides a ready-made 2FA implementation with time-based one-time passwords (TOTP).

Session Security

Configure your session cookies with HttpOnly (prevents JavaScript access), SameSite=Lax or Strict (mitigates CSRF in browsers that support it), and Secure (ensures cookies are only sent over HTTPS). In Laravel, these are configured in config/session.php. Use the file or database session driver for production; avoid the cookie driver which stores the full session payload client-side.

HTTPS Enforcement

All traffic must be encrypted in transit. In Laravel, set APP_ENV=production and FORCE_HTTPS=true in your .env file, then add URL::forceScheme('https') in your AppServiceProvider. On the server level, configure Nginx or Apache to redirect all HTTP requests to HTTPS and implement HSTS headers.

File Upload Validation

Unrestricted file uploads can lead to remote code execution. Validate uploads by MIME type, file extension, and file size. Never trust the extension from the client — use PHP's finfo to detect the actual MIME type. Store uploaded files outside the web root whenever possible and serve them through a script that enforces access controls.

Dependency Scanning with Composer

Vulnerable third-party packages are a common attack vector. Run composer audit regularly to check your dependencies against the PHP Security Advisories database. Integrate security scanning into your CI/CD pipeline using tools like symfony/security-checker or commercial services like Snyk. Subscribe to the Laravel security newsletter to receive notifications about framework-level vulnerabilities.

Conclusion

Security is a layered defense. No single measure makes your application invulnerable, but combining prepared statements, output escaping, CSRF tokens, rate limiting, HTTPS, and regular dependency audits creates a robust posture. Start with the OWASP Top 10 as your baseline, automate security checks wherever possible, and make security reviews a standard part of your deployment workflow.