Laravel Production Deployment Security Checklist

Debug mode exposes full stack traces, environment variables, and database credentials in error pages. This is the single most common Laravel security misconfiguration in production.

Setting the environment to production ensures Laravel uses production-appropriate error handling, caching, and logging. Some packages also change behavior based on this value.

The APP_KEY is used to encrypt session data, cookies, and other sensitive values. Never reuse the key from development or share it between environments. Run php artisan key:generate to create a new one.

Your .env file contains database credentials, API keys, and the APP_KEY. Ensure your web server does not serve this file by testing the URL directly: yourapp.com/.env should return a 404.

Use the daily or stack log channel in production. The single channel creates one massive log file that is hard to manage. Ensure logs do not contain sensitive user data.

All production traffic must use HTTPS. Obtain a certificate from Let's Encrypt or your provider, and ensure it covers all subdomains. Set URL::forceScheme('https') in AppServiceProvider.

Add the Strict-Transport-Security header to tell browsers to always use HTTPS. Use a long max-age (31536000 seconds = 1 year) and include includeSubDomains if applicable.

Database ports (3306, 5432), Redis (6379), and memcached (11211) should not be accessible from the public internet. Use firewall rules to restrict access to your application server only.

The storage and bootstrap/cache directories need to be writable by the web server but should not be world-writable. Use 775 with the correct group ownership.

Directory listing allows anyone to browse your file structure. Disable it in your Nginx or Apache configuration to prevent information leakage.

Telescope records requests, queries, exceptions, and more. In production, either disable it entirely or restrict access with the gate() method in TelescopeServiceProvider to admin users only.

Horizon's dashboard shows job details and Redis information. Use the gate() method in HorizonServiceProvider to restrict access to authorized users only.

Laravel ships with a default /api/user route. Remove it if unused, or ensure it requires authentication. Review routes/api.php and routes/web.php for any unnecessary endpoints.

Check config/auth.php for the passwords.users.expire value. The default is 60 minutes, which is reasonable. Shorter values (15-30 minutes) are more secure for sensitive applications.

Apply the throttle middleware to authentication routes to prevent brute-force attacks. Laravel Breeze and Fortify include this by default, but verify it is active.

CSP prevents XSS attacks by specifying which sources of content are allowed. Start with a restrictive policy and loosen it as needed. At minimum, set default-src 'self'.

This header prevents clickjacking attacks by controlling whether your site can be embedded in iframes. Set it to DENY unless you specifically need iframe embedding.

Prevents browsers from MIME-type sniffing, which can lead to security vulnerabilities when the browser interprets files differently than intended.

Controls how much referrer information is sent with requests. Set to strict-origin-when-cross-origin or no-referrer to prevent leaking URLs to third parties.

Use a tool like StackShield to continuously monitor your application's external security posture. Deployments, server updates, and configuration changes can silently introduce vulnerabilities.