0

Cryptography in PHP — openssl_*, sodium_* for encryption

Advanced5 min read·php-16-012
securityinterview

Concept

A security checklist consolidates the most critical security practices for Laravel/PHP applications into a deployment-ready reference. Security is a continuous practice, not a one-time checklist.

Application security:

  • Use HTTPS everywhere. Enforce with HSTS.
  • Use Laravel Sanctum or Passport for API authentication.
  • Enable CSRF protection for all stateful routes.
  • Validate ALL user input with Form Requests.
  • Use Eloquent with $fillable defined. Never $guarded = [].
  • Use parameterized queries everywhere. Avoid raw SQL.
  • Hash passwords with Hash::make() (bcrypt/argon2id).
  • Use policy and gate for authorization.
  • Log security events: failed logins, permission denials, suspicious actions.

PHP/Server configuration:

  • display_errors = Off in production.
  • expose_php = Off (hides PHP version in X-Powered-By).
  • Set appropriate upload_max_filesize, max_input_vars, max_execution_time.
  • Use PHP-FPM with a non-root user.
  • Keep PHP, Laravel, and all packages updated. Run composer audit in CI.
  • Disable unnecessary PHP functions: disable_functions = exec,passthru,shell_exec,...

Infrastructure:

  • Store secrets in .env (never commit). Use .env.example for documentation.
  • Rotate APP_KEY if compromised. This invalidates all sessions and encrypted data.
  • Web server user should not have write access to application code.
  • Store uploaded files outside the webroot.

Code Example

php
<?php
// Security audit checklist (run in CI)

// 1. Check for vulnerable packages
// composer audit

// 2. Static analysis (catches security issues)
// vendor/bin/phpstan analyse --level=max

// 3. SAST scanner
// composer require --dev enlightn/enlightn
// php artisan enlightn   -- runs 100+ security checks

// 4. Verify APP_KEY is set and complex
$appKey = env('APP_KEY');
if (empty($appKey) || strlen($appKey) < 32) {
    throw new \RuntimeException("APP_KEY not properly configured");
}

// 5. Environment check
if (app()->isProduction() && config('app.debug') === true) {
    throw new \RuntimeException("debug mode must be false in production!");
}

// 6. Database query safety — find raw queries in codebase
// grep -rn "DB::statement\|DB::raw\|whereRaw\|orderByRaw\|groupByRaw" app/

// 7. Check file permissions (deploy script)
// chmod 755 storage bootstrap/cache
// chmod 644 .env
// chown -R www-data:www-data /var/www/app

// Laravel Enlightn — comprehensive security audit
// composer require --dev enlightn/enlightn
// php artisan enlightn
// Checks: debug mode, APP_KEY, CORS, cookie security, CSP, password hashing,
//         mass assignment, SQL injection, XSS, clickjacking, and many more

// Dependency audit in CI (GitHub Actions)
// - name: Security audit
//   run: composer audit --no-dev
//   # Fails build if any installed package has a known vulnerability

// Regular security review checklist:
// [ ] All routes authenticated/authorized
// [ ] All inputs validated
// [ ] No secrets in code or git history
// [ ] Logs don't contain PII or secrets
// [ ] Error messages don't leak implementation details
// [ ] File uploads stored outside webroot and MIME-validated
// [ ] Third-party dependencies audited and up-to-date
PreviousRate limiting — token bucket, leaky bucket algorithmsSecurityNextThe request lifecycle — from nginx hit to response, step by stepLaravel Bootstrap & Lifecycle