Laravel being a very flexible framework, it can be a great choice for building large applications in domains which require higher levels of application security. Some of such domains are Healthcare, Banking, Government, Ecommerce. Any website no matter what is the domain, needs to be secure. However, with the beforementioned domains, liabilities are much more because you are dealing with very sensitive data.

Security breaches can occure from many ways, not just from application's development vulnerabilities but some of the architecture level server backdoors or may be poor levels of access control. We will be just discussing the steps you can take on Laravel framework level to make sure there are no such loopholes or backdoors open for exploitation.

1. Authentication and ACL :

Let's get the basic definition of authentication first, Its the process of verifying the identity of a user. Authentication process is a key entry point using which user in your application logs in. It can be stateful which maintains a user session on server and client level or stateless/token based authentication. All the secure domains MUST have extremely robust and full proof authentication set up.

Below are some of the pointers you SHOULD consider : - Get minimum information about the user but make sure its verified/authentic. Earlier email verification was a key. Now a days there are so many disposable email services available or simply creating a new fake gmail account is not much of a pain, its no more a safe way to verify. You can use more personalized way of verification which is from user's mobile number. - Log the user's IP address and access geolocation. This will give you a couple of locations from which user frequently accesses the application login. If someone logs in from a different/new location, you can shoot an email or text message for an approval. This is extremely handy as if user denies that its not him/her, you can immediately block that user automatically until some futher unblock action is taken from the original user. - If your website allows passwords like test123 or abcd1234 or qwerty, it is a high time you need to go back and update that without thinking twice. You SHOULD enforce password strength policies. - Make sure you are not fooling around with the default password hashing in Laravel. If you do, make sure its a very strong authentication which is NOT reversible. The thumb rule is Implement a cryptography which is a one way function which means that you can convert your password to a hash, but you can not easily convert your hash to a password. - Enable throttling and if you see the large consecutive failed attempts, log it and report it to the user. Lock the user until he verifies its him/her. - If you are having username as the main login reference instead of email, do not override entire login functionality in Laravel. Laravel provides a handy way to do the same. - If you are using one time passwords(OTP) for any set of login authentication, make sure those are unique and enabled for limited duration with an expory time. Also, the route urls in which user enters the OTP can be a temporary signed url with an expiration time as well. - There should be NO admin with all access. The main misconception is, if there is an owner/higher level person, he/she has to have a login to see all information. There has to be a limit on what the higher level people see. - This can be a totally big topic of discussion, but I do not see a point of having 3rd party social logins in a secure website. You have to have total control over the authentication process. If I am logging through google, you know how easy it is to have a face gmail account. - STOP integrating 3rd party plugin directly into authentication unless you study them entirely, view issues threads or may be contact the developers for more details infomation on how their plugin is maintaining basic security. The last think you would want is, having your application secured but a 3rd party plugin you installed has a backdoor for exploitation. - - Even if your website has just few sets of user types, set role for each user. -