Securing Laravel from Hackers

Aug 23, 2021 laravel php security
This post is more than 18 months old. Since technology changes too rapidly, this content may be out of date (but that's not always the case). Please remember to verify any technical or programming information with the current release.

Laravel Hacker is no longer a brand. You can find my security work at

Laravel is a great framework that is pretty secure by default. However, configuration mistakes or coding errors can still leave your app open for attack. Where do you go for help?

I’ve been working with PHP for over 20 years now. My framework of choice over the last few years has been Laravel. I love the way it helps enforce parts of the OWASP 12 factor app - things like using the environment variables to configure an application. It also uses prepared statements by default.

Because Laravel is so easy to use, new programmers can launch an application pretty fast. In fact, it’s basically just an extension of the mentality of PHP - something that’s so easy to get going that it’s easy not to dig into it further. And that’s great! To a point…

My fear is that developers are not getting as educated on the security attacks that are still out there, just waiting to look for weak spots in their armor. One coding mistake, one bad configuration, and no amount of Laravel’s built-in security will be able to protect you. That’s why it’s important to understand the mechanics of your app and how it relates to a secure environment.

There’s not enough information that goes deeper than a “Top 10” list for Laravel security. There are some tools now that help, but there’s not a lot of education available. I decided it’s time to change that.

I want to educate Laravel programmers about security in a way that they understand. My experience with the security community has been double sided: sometimes they’re great, other times they don’t seem to want to bridge the gap between what programmers need to accomplish and the security that is demanded. With my experience on both sides, I thought I can help bridge this better.

I want developers to make great code that’s easy to read and efficient. I want them to follow best practices. I want them to use Laravel to its full extent. But, I also want them to be Beautifully Secure.

And that’s why I launched Laravel Hacker. We can still write beautiful code but we need to protect against all of the bad actors. It’s basically every day now that we’re hearing more and more sites have been breached, passwords hacked and apps held for ransom. With Laravel Hacker, I will help programmers become Beautifully Secure.

The first thing I’m launching is a 7 question quiz to determine how secure your Laravel app is. You can answer the questions anonymously - and then I present you with a score. If you’re like me, you can pick up some tips from the quiz questions on what you should be doing. At the end, I offer a 7 day email course to teach you how to lock down your app. This basically follows the questions of the quiz, explaining the tools and giving you quick wins and suggestions.

Ready to secure your Laravel app? Check out!

Looking for more Laravel Tips & Tricks? Join Joel and I on the No Compromises bi-weekly podcast; around 15 minutes of thoughtful real-world advice and helpful info.
Go to All Posts