Skip Content

OWASP 2025 (A01-A10) Quick Fixes for Laravel 12

This tutorial is a copy/paste checklist for the first 10 categories (A01-A10). Each section includes a practical fix snippet and a link to the full page.

A01: Broken Access Control

Full page: /en/Vulnerabilities/BrokenAccessControl

use Illuminate\Support\Facades\Gate;
 
Gate::authorize('update', $post);
use Illuminate\Auth\Access\Response;
 
return $user->id === $post->user_id
    ? Response::allow()
    : Response::denyAsNotFound();

A02: Security Misconfiguration

Full page: /en/Vulnerabilities/SecurityMisconfiguration

APP_ENV=production
APP_DEBUG=false
SANCTUM_STATEFUL_DOMAINS=app.example.com
// config/session.php
 
'secure' => env('SESSION_SECURE_COOKIE', env('APP_ENV') === 'production'),
'http_only' => env('SESSION_HTTP_ONLY', true),
'same_site' => env('SESSION_SAME_SITE', 'lax'),

A03: Software Supply Chain Failures

Full page: /en/Vulnerabilities/SoftwareSupplyChainFailures

composer audit
composer outdated

A04: Cryptographic Failures

Full page: /en/Vulnerabilities/CryptographicFailures

APP_KEY=base64:NEW_KEY_HERE
APP_PREVIOUS_KEYS=base64:OLD_KEY_1,base64:OLD_KEY_2
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Crypt;
 
$password = Hash::make($request->password);
$encrypted = Crypt::encryptString($sensitiveValue);

A05: Injection

Full page: /en/Vulnerabilities/Injection

$query->where('email', $request->string('email'));
$allowedSorts = ['name', 'created_at'];
 
$sort = in_array($request->sort, $allowedSorts, true)
    ? $request->sort
    : 'created_at';
 
$query->orderBy($sort);

A06: Insecure Design

Full page: /en/Vulnerabilities/InsecureDesign

use Illuminate\Support\Facades\Gate;
 
Gate::authorize('update', $post);
abort_unless($post->status === 'draft', 422);
$post->update(['status' => 'published']);

A07: Authentication Failures

Full page: /en/Vulnerabilities/AuthenticationFailures

$request->session()->regenerate();
$token = $user->createToken('api', ['orders:read'])->plainTextToken;

A08: Software or Data Integrity Failures

Full page: /en/Vulnerabilities/SoftwareOrDataIntegrityFailures

// Never trust client-submitted ownership.
Comment::create([
    'post_id' => $post->id,
    'user_id' => $request->user()->id,
    'body' => $request->string('body')->toString(),
]);

A09: Security Logging and Alerting Failures

Full page: /en/Vulnerabilities/SecurityLoggingAndAlertingFailures

use Illuminate\Support\Facades\Log;
 
Log::withContext([
    'correlation_id' => $request->header('X-Request-Id'),
    'user_id' => $request->user()?->id,
    'tenant_id' => $request->user()?->getAttribute('tenant_id'),
    'ip' => $request->ip(),
]);
 
Log::channel('security')->warning('auth.login_failed', [
    'email' => $request->string('email')->toString(),
    'reason' => 'invalid_credentials',
]);

A10: Mishandling of Exceptional Conditions

Full page: /en/Vulnerabilities/MishandlingExceptionalConditions

try {
    $spamDetectionService->isSpam($commentBody);
} catch (SpamServiceTimeout $e) {
    report($e);
    return response()->json(['message' => 'Temporary outage.'], 503);
}