StackShield

Laravel Security Scoring Methodology

How we grade Laravel open source projects. 40 framework-aware static analysis checks covering mass assignment, SQL injection, XSS, CSRF, credential leaks, dependency vulnerabilities, and more. Every check, every threshold, every rule — published openly.

Grading Rubric

Grade Criteria
A Zero high or critical findings, fewer than 3 medium findings
B Zero critical, at most 1 high, fewer than 6 medium
C At most 2 high findings
D Everything else

Only grade A is displayed publicly. B/C/D grades are visible only to claimed maintainers.

Security Checks

SS001
Mass Assignment high code

Eloquent models without $fillable or $guarded

SS002
Raw SQL with Tainted Input critical code

DB::raw, whereRaw, selectRaw with user input

SS003
Dangerous Sinks critical code

eval, shell_exec, unserialize reachable from request input

SS007
Unvalidated Request Input medium code

Controllers using request data without validation

SS008
Hardcoded Credentials high code

Passwords, API keys, and secrets in source code

SS009
File Upload Without Validation high code

File uploads without type or size validation

SS040
Insecure Random Generation medium code

rand()/mt_rand() in security-sensitive contexts

SS041
Open Redirect high code

Redirects using unvalidated user input

SS042
Weak Hashing high code

md5/sha1 used for password hashing

SS043
Unsafe Deserialization critical code

unserialize() with user-controlled or unconstrained data

SS044
Blade Raw Output medium code

{!! !!} raw output in Blade templates

SS053
Missing Authorization medium code

Controllers with store/update/destroy but no authorization

SS054
Mass Delete Without Constraints medium code

truncate() or delete() without where clause

SS010
APP_KEY Missing or Weak critical config

Missing, short, or committed APP_KEY

SS011
Weak Encryption Cipher medium config

Non-standard cipher in config/app.php

SS012
Debug Mode in Production high config

APP_DEBUG=true in production env files

SS013
Dev Tools in Production medium config

Telescope, Debugbar in production require

SS014
Debug Log Level low config

Debug log level in production env

SS015
Session Cookie Security medium config

Insecure session cookie settings

SS016
Wildcard CORS medium config

Wildcard origins in CORS configuration

SS017
Mail Driver in Production low config

Mail driver set to log or array in production

SS045
Trusted Proxies Wildcard medium config

TrustProxies middleware trusts all proxies

SS046
Broadcasting Auth medium config

Broadcasting channels without authorization checks

SS047
Queue Sync in Production medium config

QUEUE_CONNECTION=sync in production env

SS048
File Cache in Production low config

CACHE_DRIVER=file in production env

SS049
Missing HTTPS medium config

APP_URL not using HTTPS in production

SS004
Auth Routes Without Throttle medium routes

Login, register, password reset without rate limiting

SS005
Route Model Binding Without Auth medium routes

User-scoped routes without auth middleware

SS006
CSRF Exemptions high routes

CSRF exemptions on state-changing routes

SS050
API Rate Limiting medium routes

API routes without throttle middleware

SS051
Debug Routes high routes

Debug/test routes left in route files

SS052
Wildcard Routes low routes

Overly broad catch-all route parameters

SS020
Exposed Sensitive Files critical filesystem

.env, .git accessible under public/

SS021
Storage Symlink Exposure medium filesystem

Sensitive files in public storage

SS022
World-Writable Files high filesystem

Sensitive files with overly permissive permissions

SS057
Writable Config Files medium filesystem

Config files writable in production

SS058
Backup Files Exposed high filesystem

Database dumps or archives in public directory

SS030
Known Advisories high dependencies

Packages with known security advisories

SS055
Outdated Laravel medium dependencies

Laravel version below current LTS

SS056
Insecure Packages high dependencies

Known-insecure package versions in require