Learning Path

Secure Coding in Laravel

With Laravel, a PHP language framework, websites and apps are built faster and easier than ever before. With all of this tooling, abstraction and speed, however, it can be easy to forget or overlook security. In this course, you will learn about some of Laravel's built-in security features; best practices for securing your application; and real-life code and examples.
7 hours, 9 minutes
Start a Free Trial

What you will learn

The PHP framework Laravel offers many options to build strong, safe apps and websites. In the first part of this course, you will explore some of the most common ways to secure your Laravel application. You’ll learn about configuring your application securely to reduce the chance of leaking secrets and credentials, validating user input and authentication methodologies. The second half of the course focuses on user access control through gates and policies, eliminating SQL injection attacks and securing sessions with rate limits. If you stick with it through the end, you’ll get a bonus section about static analysis, tripwires and honeypots.
 

Syllabus

Secure Coding in Laravel skill assessment

Assessment - 77 questions
Introduction and installation

Course - 00:20:00
To get started, we will examine what prerequisites you need to get the most out of this learning path. We’ll discuss the different ways to install the Laravel framework and focus on the most secure choice. We also will talk about the security concerns of using third-party packages. The course will introduce some tips on how to audit your application after a third-party package is installed. Finally, we'll share resources to stay up-to-date with Laravel.
Protecting secrets and reducing information leakage

Course - 00:21:00
Securing configuration and secrets is one of the most important parts of your Laravel app. This course will focus on using the configuration system properly, securing environment secrets and ways to force SSL for your Laravel app. In addition, log filtering and exception handling systems are constructed to reduce the chance of leaking sensitive information.
Validation

Course - 00:39:00
Validation is necessary to secure input from both users and third-parties. In this course, we’ll discuss what things to validate, why to validate them and how to use Laravel’s built-in rules to get the most secure validation configuration. We'll examine using form requests to validate for controllers, as well as using inline-validation for commands. Finally, custom validation is also built and dissected.
Authentication

Course - 00:23:00
Authentication is the first half of securing user access to your Laravel application. In this course, we’ll cover how to authenticate users in Laravel and the reasons why. We’ll discuss and examine the built-in Laravel authentication kits and explain which kit is best for which use case. Even if you have unique authentication requirements, Laravel’s authentication system can be used and we’ll show how with a custom authentication provider.
Authorization

Course - 00:42:00
Authorization is the second half of securing user access to your Laravel application. In this course, we’ll discuss the different built-in options Laravel has to provide authorization. Gates, a simpler solution, will be compared to the more advanced policy system. Extending the authorization system with roles and permissions with a third-party package is also demonstrated. Finally, best practices of using authorization will be presented, including making sure not to fall into some common traps.
Database and Eloquent

Course - 00:16:00
The Laravel database access layer has a lot of built-in protection from common attacks. However, when you need to customize functionality it can be easy to undo that layer and allow for attacks like SQL injection. In this course, we’ll discuss how Laravel protects your database and look at ways to extend functionality without compromising security. Then, we’ll pivot to performance and reducing the chance of denial of service attacks. Finally, concentrating on a layered approach of security in your app, we’ll focus on the security of properties in an Eloquent model.
Hashing, passwords and encryption

Course - 00:08:00
In this course, three related concepts are compared and analyzed. Securing Laravel passwords and ensuring their complexity is explained. Hashing functionality and algorithms provided by Laravel are also reviewed. Leveraging encryption by hand, as well as where it’s automatically integrated into Laravel, is also discussed.
Sessions and cookies

Course - 00:19:00
Two mechanisms for tracking users between requests and storing user information are discussed in this course: sessions and cookies. First, all of the different session configurations and drivers are discussed. We’ll review what is really necessary and what is just hype. Then, using the persistent session storage and flashing session data is reviewed. The course complete with a discussion of the usage and security of Laravel cookies.
Rate limiting

Course - 00:09:00
Laravel provides functionality to rate limit incoming requests. Rationale for choosing to protect end points, both globally and with segmented or conditional choices, is discussed.
Request methods, CSRF, escaping & headers

Course - 00:26:00
This course focuses on supporting request and response security. First, we’ll discuss how Laravel supports semantic request verbs while still being compatible with browsers. Then, tools to protect against cross-site request forgery and cross-site scripting protection are examined. Finally, the best practices for applying specific security-related headers to responses are reviewed.
Code security and scanning tools

Course - 00:22:00
There are two types of scanning tools that can be used on a Laravel application: developer code-scanning tools and hacker attack tools. In this course, we talk about what tools you should run to scan your code and configuration for security holes and vectors of attack. Additionally, we discuss other tools that a bad actor might use against your website, so you can learn to use them against yourself first and protect yourself proactively.
Tripwires and honeypots

Course - 00:11:00
This course covers two ways of interacting with bad actors: honeypots and tripwires. Tripwires, functionality that matches a specific restricted access and then actively alerts or blocks access, are discussed and demonstrated. Honeypots, functionality attached to the app to monitor suspected bad activity and report on it later, are also reviewed.
Closing thoughts and project

Course - 02:29:00
Closing out this learning path, we’ll talk about what next steps to take to secure your Laravel application and stay connected with the community. You’ll learn how to stay in the know and see what new security weaknesses are out there and whether you’re affected. You'll conclude this learning path with a hands-on project.

Meet the author

Aaron Saray believes that meeting business objectives and software security go hand-in-hand. Even before cyber security was a widely recognized career path, he was creating war games and capture the flag challenges for his fellow IT professionals. Now, he specializes in web-based programming in open source languages. He hasn’t let his first love wither, though! He’s a staunch advocate for unit tests, access controls, and security audits in all of his projects. His Infosec content shows his deep understanding of his chosen programming tools while elegantly applying best practices in secure coding.

Learn More

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Get Demo

Plans & pricing

Infosec Skills Personal

$299 / year

Buy Now 7-Day Free Trial
  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

Book a Meeting
  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments
Start a Free Trial