Laravel Pre-Launch Security Checklist

The composer audit command checks your installed packages against the PHP Security Advisories database. Fix or update any packages with known CVEs before launching.

The unescaped output syntax {!! !!} can introduce XSS vulnerabilities if used with user-supplied data. Search your entire codebase and ensure each usage is intentional and safe.

Search for DB::raw(), whereRaw(), selectRaw(), and DB::statement() calls. Verify that all user input is passed as bound parameters, not concatenated into SQL strings.

Ensure all file upload endpoints validate MIME types, file extensions, and file sizes. Store uploads outside the web root and serve them through a controller with proper access checks.

Search for routes that were added for testing or debugging. Remove any endpoints that return phpinfo(), dump debug data, or bypass authentication. Check both web.php and api.php.

Double-check your production .env file. Debug mode is the most commonly exploited Laravel misconfiguration. A single error page in debug mode reveals your entire environment.

The production APP_KEY must be unique and never committed to version control. If your development key was ever exposed (committed to Git, shared in a chat), generate a new one.

Verify secure is true, http_only is true, and same_site is set to lax or strict. Check that the session lifetime is appropriate for your application's sensitivity level.

Ensure allowed_origins is set to specific domains, not the wildcard (*). Check that allowed_methods and allowed_headers are restricted to what your application actually needs.

Ensure you are not using Mailtrap, log, or array mail drivers in production. Verify MAIL_FROM_ADDRESS is set to a real domain you control with proper SPF/DKIM records.

Ensure your SSL certificate is valid, not expired, and covers all subdomains you use. Test with an SSL checker tool. Set up auto-renewal if using Let's Encrypt.

Set up SPF, DKIM, and DMARC records to prevent email spoofing from your domain. This protects your users from phishing attacks that impersonate your application.

Ports 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), and 11211 (memcached) must not be accessible from the public internet. Test with a port scanner from an external network.

Configure daily database backups stored in a separate location from your application server. Test backup restoration to verify backups are complete and usable.

Stale DNS records pointing to decommissioned services can be exploited for subdomain takeover attacks. Audit your DNS zone for records pointing to unused services.

Production errors should be captured and alerted on, not displayed to users. Configure an error monitoring service to track exceptions, performance issues, and deployment regressions.

Monitor your application's availability and response time. Get alerted immediately when your application goes down or response times exceed acceptable thresholds.

Continuous external security monitoring catches configuration drift, expired SSL certificates, exposed debug tools, and missing security headers that internal monitoring misses.

Define who gets notified, what steps to take, and how to communicate with users if a security incident occurs. Even a simple one-page plan is better than no plan at all.

Centralize your application and server logs in a searchable system. Define a retention period that meets your compliance requirements. Logs are essential for post-incident investigation.