Matt King
Laravel Security Engineer at StackShield
About
Matt has spent over a decade building and auditing Laravel applications. Before co-founding StackShield, he led security reviews at a Laravel consultancy where he kept finding the same critical misconfigurations — exposed .env files, debug mode left on, missing security headers — sitting undetected for months until something broke. That experience convinced him the problem wasn't developer negligence: it was the lack of continuous external visibility. StackShield is the tool he wished he had in every client engagement.
He writes about Laravel security from a practitioner's perspective, focused on the specific vulnerabilities that appear in real production deployments and the concrete steps to fix them.
Articles (55)
Laravel Session Security: Cookies, Hijacking & config/session.php
A deep dive into Laravel session security. Learn how cookie flags, session drivers, and config/session.php settings protect against hijacking, fixation, and sidejacking attacks.
Automated Security Testing in Laravel CI/CD Pipelines
How to add security gates to your Laravel CI/CD pipeline with GitHub Actions. Covers dependency scanning, static analysis, secret detection, and automated security monitoring.
Laravel Content Security Policy: Configure CSP Without Breaking Your App
Only 22% of Laravel apps have a Content Security Policy. Learn how to implement CSP with spatie/laravel-csp, handle Livewire and Vite nonces, and avoid the mistakes that break production.
Laravel Is Now on the Same Federal Vulnerability List as Apple. Here Is What That Means.
CISA added the Livewire RCE vulnerability (CVE-2025-54068) to the Known Exploited Vulnerabilities catalog, linking it to active exploitation by Iranian APT MuddyWater. A Laravel ecosystem package is now on the same US government list as Apple and Microsoft. Here is what that changes for your team.
Copy Fail: Why Every Laravel Server Needs a Kernel Update Right Now (CVE-2026-31431)
A local privilege escalation vulnerability in the Linux kernel affects every server running a kernel from 2017 onward. Laravel Forge has issued a specific advisory. The exploit is 732 bytes, works reliably, and is active in the wild. Here is what Laravel teams need to do.
Composer's Hidden Attack Surface: How Two Command Injection Flaws Put Every PHP Project at Risk
Two command injection vulnerabilities in Composer's Perforce driver (CVE-2026-40261 and CVE-2026-40176) can be exploited even if Perforce is not installed on your system. Malicious package metadata from any Composer repository can trigger arbitrary shell command execution. Update to Composer 2.9.6 immediately.
The Intercom PHP Hack: How a Composer Plugin Stole Credentials From Thousands of Developers
On April 30, 2026, attackers compromised intercom/intercom-php on Packagist (20.7 million lifetime installs). The malicious version auto-executed as a Composer plugin, downloading Bun and exfiltrating GitHub tokens, SSH keys, and environment variables. Here is what happened and how to protect yourself.
Securing Laravel Horizon in Production: A Complete Guide
Laravel Horizon exposes your entire queue system, including job payloads, failed jobs with user data, and worker status. Here is how to lock it down properly in production.
CVE-2026-23524: Laravel Reverb RCE via Insecure Deserialization (CVSS 9.8)
Laravel Reverb versions 1.6.3 and below have a critical insecure deserialization vulnerability. When horizontal scaling is enabled, Reverb passes Redis channel data directly into unserialize() without class restrictions. If your Redis is unauthenticated, attackers can achieve full remote code execution. Here is how to check and fix it.
Laravel 13 Security: What Changed from Laravel 12 and What You Need to Know
A security-focused review of Laravel 13 for teams upgrading from Laravel 12. Covers new defaults, deprecated patterns, configuration changes, and a post-upgrade security checklist.
PHP Security Audit: A Developer's Guide Beyond Laravel
A comprehensive PHP security audit guide covering dependency scanning, php.ini hardening, input validation, common vulnerability classes, static analysis tools, and web server configuration.
Laravel Debug Mode in Production: What Attackers See
18% of Laravel apps run debug mode in production. Attackers use exposed stack traces, environment variables, and database credentials to compromise your app.
OWASP Top 10 in Laravel: Real Vulnerabilities, Real Code Fixes (2026)
SQL injection through raw queries. XSS from unescaped Blade output. CSRF bypasses on API routes. Every OWASP Top 10 category mapped to Laravel-specific vulnerabilities with code you can copy to fix them.
Your Laravel .env File Is Probably Exposed Right Now
12% of Laravel apps have publicly accessible .env files. Learn how attackers find them, what they steal, and how to verify yours is protected.
Laravel Telescope in Production: Security Risks You Need to Know
Laravel Telescope records every request, query, job, and log entry in your application. Left exposed in production, it gives attackers a real-time view into your entire system.
What Is an Attack Surface? A Developer's Guide
An attack surface is the total number of points where an attacker can try to enter or extract data from your system. Understanding yours is the first step to reducing it.
Composer Audit: Find Vulnerable PHP Packages Before Attackers Do
Your composer.lock probably has vulnerable packages right now. Run composer audit to find them, fix with targeted updates, and add automated vulnerability scanning to your CI/CD pipeline so nothing ships unpatched.
Laravel Security Guide: Every Vulnerability, Fix Guide & Checklist in One Place
The complete index of Laravel security resources. Find fix guides for exposed .env files, debug mode, XSS, CSRF, CORS, session security, and more. Plus checklists, comparison pages, and free scanning tools.
A Guide to Security Headers: What They Do and How to Secure Your Laravel Application
Discover how to secure your Laravel application with the right security headers.
5 CORS Misconfigurations in Laravel That Create Vulnerabilities
Wildcard origins, reflected headers, and exposed credentials. These five CORS misconfigurations in Laravel let attackers bypass same-origin protections.
The OWASP Top 10 Just Changed. Here Is What It Means for Laravel Teams.
The OWASP Top 10 2025 added supply chain failures at #3 and error handling at #10, while injection dropped to #5. Here is the full updated list and what Laravel developers need to do differently.
NIST SP 800-81r3 DNS Security: 6 Changes That Affect Your Infrastructure in 2026
The first NIST DNS security update since 2013. New guidance on Protective DNS, encrypted DNS (DoH/DoT), DNSSEC, and dangling record cleanup. Here are the 6 key changes and what to do.
Your Laravel APP_KEY Is on GitHub. That Means Remote Code Execution.
GitGuardian found 260,000 exposed Laravel APP_KEYs on GitHub. A leaked APP_KEY lets attackers forge cookies, deserialize objects, and get full RCE on your server. Here's how the attack chain works and how to rotate your key safely.
CVE-2025-54068: Critical Livewire RCE Vulnerability in Laravel (How to Fix)
CVE-2025-54068 is a critical remote code execution vulnerability in Livewire v3 that allows unauthenticated attackers to execute arbitrary code on your server. With 130,000+ applications affected, here is how to check if you are vulnerable and patch it.
Fake Laravel Packages on Packagist Are Installing Backdoors. Here Is How to Check.
Three malicious Packagist packages disguised as Laravel utilities deploy a cross-platform RAT that gives attackers full shell access, reads your .env, and exfiltrates credentials. Here is what happened, how to check if you are affected, and what to do.
GitLab 2FA Bypass (CVE-2026-0723): What Happened and How to Protect Yourself
GitLab patched a high-severity two-factor authentication bypass (CVE-2026-0723, CVSS 7.4) that lets attackers hijack accounts. Here is what the vulnerability is, who is affected, and how to remediate it.
AI Is Writing Your Laravel Code. Who Is Checking Its Security?
Laravel's AI SDK, Boost, and tools like Cursor and Claude Code are changing how we build applications. But over 40% of AI-generated code contains security flaws. Here is how to ship faster without opening the door to attackers.
The Complete Laravel Security Checklist for 2026
A comprehensive, 30-point security checklist covering every layer of your Laravel application. From .env protection and security headers to debug mode detection and DNS security.
What Is External Attack Surface Management (EASM)?
External Attack Surface Management continuously discovers and monitors your internet-facing assets for security risks. Learn how EASM differs from DAST, SAST, and pentesting, and why every team shipping web apps needs it.
How to Secure a Laravel Application: 2026 Hardening Guide
The complete production hardening guide for Laravel. Covers headers, sessions, environment config, rate limiting, authentication, and continuous monitoring.
Best Laravel Security Tools Compared: Scanners, Monitors & Audit Tools (2026)
Compare the best security tools for Laravel. Covers static analysis, dependency scanning, external monitoring, penetration testing, and WAFs with a feature comparison table.
Continuous Security Monitoring vs Annual Pentesting: What Your Laravel App Actually Needs
A side-by-side comparison of continuous security monitoring and annual penetration testing. Learn when you need each, what they cost, and how they work together to protect your Laravel application.
SQL Injection in Laravel: Where Eloquent Protects You and Where It Doesn't
Eloquent and the Query Builder bind your values through PDO prepared statements, so a plain where() is safe. The trouble starts with whereRaw, dynamic orderBy, and LIKE wildcards. Here is exactly where the gaps are.
Laravel Security Scans in GitHub Actions: A CI/CD Pipeline Guide
Automate Laravel security checks in your GitHub Actions pipeline. Set up composer audit, static analysis, StackShield post-deploy scans, and block merges when vulnerabilities are found.
Laravel Authorization Done Right: Gates, Policies, and the Holes Teams Leave
Authentication proves who a user is. Authorization decides what they are allowed to touch. Most Laravel apps get the first part right and then load /orders/123 without ever checking the order belongs to the logged-in user. Here is how Gates and Policies actually work, and where the access-control holes hide.
SSRF in Laravel: The Risk Hiding in Http::get()
A single user-supplied URL passed into Laravel's HTTP client can let an attacker read your cloud metadata and steal IAM credentials. Here is how SSRF works and how to build a URL validator that actually blocks it.
ISO 27001 for Laravel Applications: Controls, Annex A, and What Developers Must Implement
ISO 27001:2022 defines 93 Annex A controls across four domains. This guide maps the technological controls that directly affect Laravel developers to specific implementations: access control, authentication, logging, cryptography, secure development, and continuous monitoring.
Adding Two-Factor Authentication to Laravel with Fortify
A working password is no longer enough. Here is how to wire up TOTP-based two-factor authentication in Laravel using Fortify, from the migration columns through the QR challenge, and how to force every admin account to enrol.
PCI DSS v4.0 for Laravel Developers: What You Actually Need to Implement
PCI DSS v4.0 became mandatory in March 2025. If your Laravel application touches payment card data, you need to know exactly which of the 12 PCI requirements apply to you and what they mean in PHP terms. This guide cuts through the compliance jargon.
Laravel Session Security: HttpOnly, SameSite, and Secure Cookies
Your session configuration is probably insecure by default. Learn how to configure HttpOnly, SameSite, Secure flags, session expiration, and driver selection to prevent hijacking and fixation.
CSRF Protection in Laravel: How It Works and the Mistakes That Disable It
Laravel ships CSRF protection on by default, then developers quietly switch it off one route at a time. Here is how the token actually works, the four changes that disable it, and when you genuinely do not need it.
HIPAA Technical Safeguards for Laravel Applications Handling PHI
If your Laravel application stores or processes Protected Health Information, you need specific technical safeguards. This guide covers the HIPAA Security Rule requirements that PHP developers must implement, with Laravel-specific code examples.
Securing Your Laravel CI/CD Pipeline: A Practical DevSecOps Guide
With 70% of teams releasing continuously, your CI/CD pipeline is a high-value target. This guide covers securing GitHub Actions and GitLab CI for Laravel projects: secrets management, composer audit integration, SAST scanning, container security, deployment hardening, and artifact signing with practical YAML configs.
SOC 2 Compliance for Laravel Applications: A Technical Implementation Guide
SOC 2 Type II compliance requires documented, auditable controls for security, availability, and confidentiality. This guide maps SOC 2 Trust Service Criteria to specific Laravel configurations and tells you exactly what evidence auditors will ask for.
Laravel Mass Assignment: How $fillable and $guarded Go Wrong
Mass assignment turns a tidy one-liner into a privilege-escalation bug. Here is how attackers set is_admin=1 through your profile form, and the exact Eloquent patterns that stop them.
Subdomain Takeover: How Dangling DNS Records Put Your Laravel App at Risk
Dangling DNS records are one of the most overlooked attack vectors in Laravel deployments. Learn how subdomain takeover works, why deprovisioned cloud resources create exploitable gaps, and how to protect your application.
How to Pentest a Laravel Application: A Practical Methodology
A step-by-step external penetration testing methodology for Laravel applications. Covers reconnaissance, fingerprinting, common exploit paths, tools, and when to hire a professional.
Open Ports in Production: Why Your Laravel Server Has More Exposed Services Than You Think
Most Laravel deployments expose far more network services than developers realise. From MySQL and Redis to forgotten Vite dev servers, open ports give attackers a roadmap to your infrastructure. Here is how to find and close them.
Laravel XSS Protection: Blade, Livewire, and Raw Output
Cross-site scripting bypasses Laravel's default escaping more often than you think. Cover Blade's triple-brace pitfall, Livewire injection, and raw HTML output.
How to Security Audit a Laravel Application: A Practical Guide
A step-by-step guide to auditing the security of a Laravel application. Covers dependency scanning, configuration review, external scanning, code review patterns, and how to prioritize findings.
Security Headers for SOC 2 and ISO 27001: What Laravel Teams Need to Know
SOC 2 and ISO 27001 audits increasingly flag missing or misconfigured security headers. Learn which headers auditors look for, how to implement them in Laravel middleware, and how to monitor compliance continuously.
PHP Supply Chain Attacks: How Malicious Packages Sneak Into composer.json
Typosquatting, dependency confusion, and hijacked maintainer accounts. A breakdown of how PHP supply chain attacks work, real incidents, and what you can do to protect your Composer dependencies.
The Vercel Breach: What Happened, Who Is Affected, and What You Should Do Right Now
Vercel confirmed a security breach on April 19, 2026 after attackers compromised a third-party AI tool to pivot into internal systems. Environment variables, API keys, and deployment data were exposed. Here is what happened and how to protect your applications.
Laravel Security Checklist 2026: 40 Checks Before Deploy
The 40 security checks we run on every Laravel app before it goes live. Most apps fail at least 5. Covers exposed .env files, debug mode, missing headers, CORS, session config, and dependency vulnerabilities.
Laravel File Upload Security: 7 Vulnerabilities Attackers Exploit
File uploads are one of Laravel's most dangerous attack surfaces. Learn how attackers exploit validation gaps, path traversal, and storage misconfigs to achieve RCE.