Laravel Security

Name: Laravel Security
Author: affaan-m

affaan-m/everything-claude-code

Harden Laravel apps with middleware, policies, Form Requests, rate limiting, mass-assignment guards, and production config for auth and APIs.

Overview

laravel-security is an agent skill most often used in Ship (also Build) that applies Laravel auth, validation, CSRF, rate limiting, and secure deployment practices.

Install

npx skills add https://github.com/affaan-m/everything-claude-code --skill laravel-security

What is this skill?

Activation triggers: authn/authz, user input, APIs, secrets, production hardening
Middleware stack: VerifyCsrfToken, SecurityHeaders, signed routes
Guards and policies with auth:sanctum and Form Request validation pipelines
RateLimiter patterns for login and abuse alongside auth controls
Production core settings: APP_DEBUG, APP_KEY rotation, secure session cookies, trusted proxies

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 4.8k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are adding Laravel auth, APIs, or uploads without a consolidated checklist for CSRF, sessions, mass assignment, and production secrets.

Who is it for?

Indie Laravel developers shipping Sanctum APIs or multi-tenant SaaS who need guardrails before production.

Skip if: Non-PHP stacks or Laravel apps already fully audited by a dedicated security engagement with no new surface area.

When should I use this skill?

Adding authentication or authorization, handling user input and file uploads, building new API endpoints, managing secrets, or hardening production deployments.

What do I get? / Deliverables

You wire middleware, policies, Form Requests, and rate limits with production-safe env settings aligned to Laravel’s security primitives.

Hardened middleware and policy configuration guidance
Form Request and rate-limit patterns for sensitive routes
Production env checklist for debug, keys, and cookies

Recommended Skills

Laravel Specialistjeffallan/claude-skills

laravel-specialist packages opinionated Eloquent ORM guidance for agents helping solo founders ship Laravel backends fas…14.8k installs·9.7k stars

Php Projeffallan/claude-skills

PHP Pro is an agent skill aimed at intermediate solo builders shipping PHP APIs who need production-oriented async patte…10.5k installs·9.7k stars

Laravel Patternsaffaan-m/everything-claude-code

Laravel Patterns is an agent skill for solo builders shipping SaaS or APIs on Laravel who want scalable, maintainable st…4.9k installs·210k stars

Laravel Tddaffaan-m/everything-claude-code

laravel-tdd is an agent skill from the Everything Claude Code collection that encodes test-driven development for Larave…4.4k installs·210k stars

Laravel Plugin Discoveryaffaan-m/everything-claude-code

Laravel Plugin Discovery is an agent skill that connects your coding agent to the LaraPlugins.io MCP server so you can s…3.4k installs·210k stars

Wp Plugin Developmentwordpress/agent-skills

wp-plugin-development is a WordPress-focused agent skill for solo builders and small agencies shipping plugins to the.or…2.9k installs·1.6k stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Security hardening and deployment settings are canonical in Ship before production exposure. Appsec checklist—CSRF, sessions, Sanctum, uploads, and secrets—maps directly to the security subphase shelf.

Also useful

BuildBackend, data & payments

Where it fits

Example use

BuildBackend, data & payments

Add UploadInvoiceRequest validation and policy checks before a new billing API ships.

Example use

ShipSecurity

Enable SecurityHeaders, signed routes, and login rate limits before production cutover.

Example use

OperateInfrastructure & cost

Rotate APP_KEY and verify trusted proxy settings after a suspected compromise.

How it compares

Framework-specific security playbook—not a generic OWASP scanner skill or DevOps-only CI hardening guide.

Common Questions / FAQ

Who is laravel-security for?

Solo builders and small teams on Laravel who own auth, APIs, uploads, and deployment configuration.

When should I use laravel-security?

Use in Build when adding Sanctum APIs and Form Requests, and in Ship when turning off debug mode, hardening cookies, and rate-limiting login before launch.

Is laravel-security safe to install?

It documents Laravel security patterns only; review the Security Audits panel on this Prism page for the skill source before installing into your agent.

SKILL.md

READMESKILL.md - Laravel Security

# Laravel Security Best Practices

Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.

## When to Activate

- Adding authentication or authorization
- Handling user input and file uploads
- Building new API endpoints
- Managing secrets and environment settings
- Hardening production deployments

## How It Works

- Middleware provides baseline protections (CSRF via `VerifyCsrfToken`, security headers via `SecurityHeaders`).
- Guards and policies enforce access control (`auth:sanctum`, `$this->authorize`, policy middleware).
- Form Requests validate and shape input (`UploadInvoiceRequest`) before it reaches services.
- Rate limiting adds abuse protection (`RateLimiter::for('login')`) alongside auth controls.
- Data safety comes from encrypted casts, mass-assignment guards, and signed routes (`URL::temporarySignedRoute` + `signed` middleware).

## Core Security Settings

- `APP_DEBUG=false` in production
- `APP_KEY` must be set and rotated on compromise
- Set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax` (or `strict` for sensitive apps)
- Configure trusted proxies for correct HTTPS detection

## Session and Cookie Hardening

- Set `SESSION_HTTP_ONLY=true` to prevent JavaScript access
- Use `SESSION_SAME_SITE=strict` for high-risk flows
- Regenerate sessions on login and privilege changes

## Authentication and Tokens

- Use Laravel Sanctum or Passport for API auth
- Prefer short-lived tokens with refresh flows for sensitive data
- Revoke tokens on logout and compromised accounts

Example route protection:

```php
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->get('/me', function (Request $request) {
    return $request->user();
});
```

## Password Security

- Hash passwords with `Hash::make()` and never store plaintext
- Use Laravel's password broker for reset flows

```php
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\Rules\Password;

$validated = $request->validate([
    'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()],
]);

$user->update(['password' => Hash::make($validated['password'])]);
```

## Authorization: Policies and Gates

- Use policies for model-level authorization
- Enforce authorization in controllers and services

```php
$this->authorize('update', $project);
```

Use policy middleware for route-level enforcement:

```php
use Illuminate\Support\Facades\Route;

Route::put('/projects/{project}', [ProjectController::class, 'update'])
    ->middleware(['auth:sanctum', 'can:update,project']);
```

## Validation and Data Sanitization

- Always validate inputs with Form Requests
- Use strict validation rules and type checks
- Never trust request payloads for derived fields

## Mass Assignment Protection

- Use `$fillable` or `$guarded` and avoid `Model::unguard()`
- Prefer DTOs or explicit attribute mapping

## SQL Injection Prevention

- Use Eloquent or query builder parameter binding
- Avoid raw SQL unless strictly necessary

```php
DB::select('select * from users where email = ?', [$email]);
```

## XSS Prevention

- Blade escapes output by default (`{{ }}`)
- Use `{!! !!}` only for trusted, sanitized HTML
- Sanitize rich text with a dedicated library

## CSRF Protection

- Keep `VerifyCsrfToken` middleware enabled
- Include `@csrf` in forms and send XSRF tokens for SPA requests

For SPA authentication with Sanctum, ensure stateful requests are configured:

```php
// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),
```

## File Upload Safety

- Validate file size, MIME type, and extension
- Store uploads outside the public path when possible
- Scan files for malware if required

```php
final c

What is this skill?

Activation triggers: authn/authz, user input, APIs, secrets, production hardening

Middleware stack: VerifyCsrfToken, SecurityHeaders, signed routes

Guards and policies with auth:sanctum and Form Request validation pipelines

RateLimiter patterns for login and abuse alongside auth controls

Production core settings: APP_DEBUG, APP_KEY rotation, secure session cookies, trusted proxies

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 4.8k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

You wire middleware, policies, Form Requests, and rate limits with production-safe env settings aligned to Laravel’s security primitives.

Hardened middleware and policy configuration guidance

Form Request and rate-limit patterns for sensitive routes

Production env checklist for debug, keys, and cookies

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildBackend, data & payments

Where it fits

Example use

BuildBackend, data & payments

Add UploadInvoiceRequest validation and policy checks before a new billing API ships.

Example use

ShipSecurity

Enable SecurityHeaders, signed routes, and login rate limits before production cutover.

Example use

OperateInfrastructure & cost

Rotate APP_KEY and verify trusted proxy settings after a suspected compromise.

SKILL.md

READMESKILL.md - Laravel Security

# Laravel Security Best Practices

Comprehensive security guidance for Laravel applications to protect against common vulnerabilities.

## When to Activate

- Adding authentication or authorization
- Handling user input and file uploads
- Building new API endpoints
- Managing secrets and environment settings
- Hardening production deployments

## How It Works

- Middleware provides baseline protections (CSRF via `VerifyCsrfToken`, security headers via `SecurityHeaders`).
- Guards and policies enforce access control (`auth:sanctum`, `$this->authorize`, policy middleware).
- Form Requests validate and shape input (`UploadInvoiceRequest`) before it reaches services.
- Rate limiting adds abuse protection (`RateLimiter::for('login')`) alongside auth controls.
- Data safety comes from encrypted casts, mass-assignment guards, and signed routes (`URL::temporarySignedRoute` + `signed` middleware).

## Core Security Settings

- `APP_DEBUG=false` in production
- `APP_KEY` must be set and rotated on compromise
- Set `SESSION_SECURE_COOKIE=true` and `SESSION_SAME_SITE=lax` (or `strict` for sensitive apps)
- Configure trusted proxies for correct HTTPS detection

## Session and Cookie Hardening

- Set `SESSION_HTTP_ONLY=true` to prevent JavaScript access
- Use `SESSION_SAME_SITE=strict` for high-risk flows
- Regenerate sessions on login and privilege changes

## Authentication and Tokens

- Use Laravel Sanctum or Passport for API auth
- Prefer short-lived tokens with refresh flows for sensitive data
- Revoke tokens on logout and compromised accounts

Example route protection:

```php
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Route;

Route::middleware('auth:sanctum')->get('/me', function (Request $request) {
    return $request->user();
});
```

## Password Security

- Hash passwords with `Hash::make()` and never store plaintext
- Use Laravel's password broker for reset flows

```php
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\Rules\Password;

$validated = $request->validate([
    'password' => ['required', 'string', Password::min(12)->letters()->mixedCase()->numbers()->symbols()],
]);

$user->update(['password' => Hash::make($validated['password'])]);
```

## Authorization: Policies and Gates

- Use policies for model-level authorization
- Enforce authorization in controllers and services

```php
$this->authorize('update', $project);
```

Use policy middleware for route-level enforcement:

```php
use Illuminate\Support\Facades\Route;

Route::put('/projects/{project}', [ProjectController::class, 'update'])
    ->middleware(['auth:sanctum', 'can:update,project']);
```

## Validation and Data Sanitization

- Always validate inputs with Form Requests
- Use strict validation rules and type checks
- Never trust request payloads for derived fields

## Mass Assignment Protection

- Use `$fillable` or `$guarded` and avoid `Model::unguard()`
- Prefer DTOs or explicit attribute mapping

## SQL Injection Prevention

- Use Eloquent or query builder parameter binding
- Avoid raw SQL unless strictly necessary

```php
DB::select('select * from users where email = ?', [$email]);
```

## XSS Prevention

- Blade escapes output by default (`{{ }}`)
- Use `{!! !!}` only for trusted, sanitized HTML
- Sanitize rich text with a dedicated library

## CSRF Protection

- Keep `VerifyCsrfToken` middleware enabled
- Include `@csrf` in forms and send XSRF tokens for SPA requests

For SPA authentication with Sanctum, ensure stateful requests are configured:

```php
// config/sanctum.php
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', 'localhost')),
```

## File Upload Safety

- Validate file size, MIME type, and extension
- Store uploads outside the public path when possible
- Scan files for malware if required

```php
final c

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is laravel-security for?

When should I use laravel-security?

Is laravel-security safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is laravel-security for?

When should I use laravel-security?

Is laravel-security safe to install?

SKILL.md