Laravel API Security Checklist

Never roll your own token authentication. Sanctum is ideal for SPA and mobile app APIs. Passport is appropriate for full OAuth2 requirements. Both handle token generation, validation, and revocation securely.

API tokens should have a defined lifetime. For Sanctum, set the expiration in config/sanctum.php. Implement token rotation for long-lived sessions to limit the damage of a compromised token.

Use Laravel Policies and Gates to verify the authenticated user has permission to access the requested resource. Never rely solely on authentication — always check authorization for the specific action.

Use token abilities (Sanctum) or scopes (Passport) to limit what each token can do. A token for reading user profiles should not be able to delete accounts.

Review routes/api.php and remove any unused endpoints. Every registered route is a potential attack surface. Use Route::apiResource() instead of Route::resource() to exclude form-related routes.

Use dedicated FormRequest classes for every endpoint that accepts input. Define strict validation rules including types, lengths, and formats. Never trust client-side validation alone.

API Resources control exactly which fields are returned in responses. This prevents accidentally exposing sensitive fields like passwords, tokens, or internal IDs that exist on your Eloquent models.

Define $fillable or $guarded on every Eloquent model. Never use Model::create($request->all()) — always specify the exact fields: Model::create($request->validated()).

Validate file types, sizes, and MIME types. Use the mimes, mimetypes, and max validation rules. Store uploaded files outside the public directory and serve them through a controller.

If you must use DB::raw(), DB::select(), or whereRaw(), always use parameter binding. Never concatenate user input into SQL strings. Eloquent's query builder handles this automatically for standard operations.

Use Laravel's built-in throttle middleware. Define rate limits in RouteServiceProvider using RateLimiter::for(). Apply stricter limits to authentication endpoints (5-10 per minute) and moderate limits to data endpoints (60 per minute).

Login, registration, password reset, and token generation endpoints should have aggressive rate limiting (e.g., 5 attempts per minute) to prevent brute-force and credential stuffing attacks.

When a client exceeds rate limits, return a 429 Too Many Requests response with the Retry-After header. Laravel's throttle middleware does this automatically.

Configure your web server (Nginx/Apache) and PHP to reject oversized request bodies. This prevents denial of service through large payload attacks. Set client_max_body_size in Nginx and post_max_size in PHP.

Never return unbounded result sets. Use Laravel's paginate() method and set a reasonable maximum per_page value. This prevents memory exhaustion and data harvesting.

API error responses in debug mode include full stack traces, file paths, and environment variables. Set APP_DEBUG=false in production and use custom exception handling for clean error responses.

Set allowed_origins in config/cors.php to specific domains, never use the wildcard (*) for authenticated endpoints. Misconfigured CORS allows any website to make API requests on behalf of your users.

Add X-Content-Type-Options: nosniff, Cache-Control: no-store (for sensitive data), and Strict-Transport-Security headers to API responses via middleware.

Use a consistent JSON error format across all endpoints. Never expose internal error messages, database errors, or file paths. Return generic messages with appropriate HTTP status codes.

If an endpoint only handles GET requests, do not register it for POST, PUT, or DELETE. Use specific route methods (Route::get) instead of Route::any or Route::match with unnecessary methods.