Laravel Security
SKILL.md
Laravel Security
Priority: P0 (CRITICAL)
Structure
app/
├── Policies/ # Model-level permission
└── Http/
└── Middleware/ # Custom security layers
Implementation Guidelines
- Authorization: Always use Policies or Gates (no
$user->role ===). - Environment: Never use
env()outside of config files. Useconfig(). - Validation: Strict validation via Form Requests to prevent injection.
- Auth Guarding: Use
auth()->user()type-shadowing or interfaces. - XSS Safety: Leverage Blade
{{ $var }}automatic escaping. - CSRF: Ensure
@csrfis present in all state-changing forms.
Anti-Patterns
- Raw Env: No env() in code: Access through config to allow caching.
- Manual Auth: No custom auth logic: Use Laravel's built-in system.
- Unvalidated Mass: No unvalidated create: Always use
validated(). - Logic in Blade: No auth logic in View: Pass permissions as data.