IMS Security guidelines
Backend
- Don't track the
.env file
- The
.env file contains sensitive information like database credentials, application keys, etc. It must be included in the .gitignore file.
- Keep Laravel up to date
- Keeping Laravel up to date allows us to stay in touch with the latest security updates.
- Keep the first and third-party packages up to date
- Disable debug messages in production
- Make sure these two environment variables are correctly set in production:
APP_ENV=production and APP_DEBUG=false.
- Don’t send sensitive information to error monitoring tools
- Validate the user's input
- Validation in Laravel is crucial in ensuring the application's security.
- Never trust the users' input. Validation rules are numerous and will help to sanitize the data sent by the users with ease.
- Be careful with uploaded files
- User's input must never be trusted, that also goes for the files they upload.
- Always check the file's MIME type. Laravel has the right validation rules for that, e.g.:
'file' => 'required|mimes:gif,jpeg,png,webp'.
- Prevent SQL Injection by avoiding raw queries
- Whenever possible, use Laravel's Eloquent ORM to construct the application queries.
- If it is necessary to use rae queries, always ensure that the parameter binding is used, e.g.:
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));
- Escape content to prevent XSS
- To avoid XSS attacks, use the double brace syntax in the blade templates:
{{ $variable }}.
- Only use this
{!! $variable !!} syntax when you are sure that the data in the variable contains HTML and is safe to be displayed.
- Do regular security audits