PHPackages ind4skylivey/laravel-secure-baseline - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Testing & Quality](/categories/testing) 4. / 5. ind4skylivey/laravel-secure-baseline ActiveLibrary[Testing & Quality](/categories/testing) ind4skylivey/laravel-secure-baseline ==================================== Laravel Secure Baseline – Automated security checks for your Laravel app. v0.2.0(5mo ago)15[1 PRs](https://github.com/ind4skylivey/laravel-secure-baseline/pulls)BSL-1.1PHPPHP ^8.2CI passing Since Dec 3Pushed 2mo agoCompare [ Source](https://github.com/ind4skylivey/laravel-secure-baseline)[ Packagist](https://packagist.org/packages/ind4skylivey/laravel-secure-baseline)[ Docs](https://github.com/ind4skylivey/laravel-secure-baseline)[ RSS](/packages/ind4skylivey-laravel-secure-baseline/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (4)Versions (5)Used By (0) [![32334](https://private-user-images.githubusercontent.com/98955416/522021689-d7962e30-936c-4591-a19d-b954979193fb.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzU0MzQyMzgsIm5iZiI6MTc3NTQzMzkzOCwicGF0aCI6Ii85ODk1NTQxNi81MjIwMjE2ODktZDc5NjJlMzAtOTM2Yy00NTkxLWExOWQtYjk1NDk3OTE5M2ZiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjA0MDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwNDA2VDAwMDUzOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRlNjMzMTQyNTgwNDYxYTczYzc3ZWE0NGU1YWMwZWI1NzQ4MDhkYTQyOWQyZDJiZDI2MDNjZTM5NmQ3ZTlhNzQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.OvoHjklTUGd_IFRh7XJ87xBLxfy2q-VkW82vs4GseOM)](https://private-user-images.githubusercontent.com/98955416/522021689-d7962e30-936c-4591-a19d-b954979193fb.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NzU0MzQyMzgsIm5iZiI6MTc3NTQzMzkzOCwicGF0aCI6Ii85ODk1NTQxNi81MjIwMjE2ODktZDc5NjJlMzAtOTM2Yy00NTkxLWExOWQtYjk1NDk3OTE5M2ZiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNjA0MDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjYwNDA2VDAwMDUzOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRlNjMzMTQyNTgwNDYxYTczYzc3ZWE0NGU1YWMwZWI1NzQ4MDhkYTQyOWQyZDJiZDI2MDNjZTM5NmQ3ZTlhNzQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.OvoHjklTUGd_IFRh7XJ87xBLxfy2q-VkW82vs4GseOM)Laravel Secure Baseline πŸ›‘οΈ β€” Automated Laravel security scanner =============================================================== [](#laravel-secure-baseline-️--automated-laravel-security-scanner) ### **Automated Laravel Security Scanner β€” Catch Misconfigurations Before Production** [](#automated-laravel-security-scanner--catch-misconfigurations-before-production) [![Secure scan demo](assets/secure-scan-demo.gif)](assets/secure-scan-demo.gif) [![CLI output](assets/cli-demo.png)](assets/cli-demo.png)[![HTML report preview](assets/report-demo.png)](assets/report-demo.png) [![PHP Version](https://camo.githubusercontent.com/94a7c10e804cb965333d8986abb2116b2e65fc26c521496685486c3ebfc5ceb0/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e312532422d3737374242343f6c6f676f3d706870266c6f676f436f6c6f723d7768697465267374796c653d666f722d7468652d6261646765)](https://php.net)[![Laravel](https://camo.githubusercontent.com/f2ab6f71907259ea0e7d5bc0f4950b6ad5bbbfe35d10691bf0344b9fe1fb3578/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d313025323025374325323031312d4646324432303f6c6f676f3d6c61726176656c266c6f676f436f6c6f723d7768697465267374796c653d666f722d7468652d6261646765)](https://laravel.com)[![License: BSL 1.1](https://camo.githubusercontent.com/1b485dddb326e0c0f0ce0868cb623593ce3d65db86e050c661cd1d9406eceadc/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d42534c2d2d312e312d626c75652e7376673f7374796c653d666f722d7468652d6261646765)](LICENSE)[![Tests](https://camo.githubusercontent.com/e38b085a35b0ccc132b495c0fd300dd8989fe81a6c073a5d6bd0ae3bc53a7130/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f74657374732d70617373696e672d627269676874677265656e2e7376673f7374796c653d666f722d7468652d6261646765)](https://github.com/ind4skylivey/laravel-secure-baseline)[![Packagist Version](https://camo.githubusercontent.com/2e478d22201d576f9215277cbfbcb808b3affa83a594a605aadb7920e0e2c676/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f696e6434736b796c697665792f6c61726176656c2d7365637572652d626173656c696e653f6c6162656c3d5061636b6167697374266c6f676f3d7061636b6167697374267374796c653d666f722d7468652d6261646765)](https://packagist.org/packages/ind4skylivey/laravel-secure-baseline)[![Packagist Downloads](https://camo.githubusercontent.com/da740c7495f4ba7f50955d2751783e0617109d219dfbf97e9a8cbab6950d2e43/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f696e6434736b796c697665792f6c61726176656c2d7365637572652d626173656c696e653f6c6f676f3d7061636b6167697374267374796c653d666f722d7468652d6261646765266c6162656c3d446f776e6c6f61647326636f6c6f723d626c75652663616368655365636f6e64733d33363030)](https://packagist.org/packages/ind4skylivey/laravel-secure-baseline/stats) **Run one Artisan command. Get instant Laravel security audit. Deploy with confidence.** ``` php artisan secure:scan ``` [πŸš€ Quick Start](#-quick-start-secure-your-laravel-app-in-60-seconds) β€’ [πŸ“‹ Features](#-features) β€’ [πŸ” What It Checks](#-laravel-security-checks-covered-what-laravel-secure-baseline-checks) β€’ [βš™οΈ Configuration](#configuration) β€’ [πŸ”„ CI/CD Integration](#-laravel-cicd-integration) β€’ [πŸ“š Docs](#-documentation) --- ⭐ **Star this repo** if you believe in secure-by-default Laravel applications! --- 🚨 The Problem: Laravel Security Audit Gaps in Production -------------------------------------------------------- [](#-the-problem-laravel-security-audit-gaps-in-production) Laravel applications in production often suffer from **critical security misconfigurations** that expose sensitive data, leak credentials, and create attack vectors. These vulnerabilities aren't code bugsβ€”they're configuration oversights that slip through manual reviews. Common Laravel security issues include `APP_DEBUG=true` leaking stack traces with database credentials, missing or weak `APP_KEY` values compromising session encryption, overly permissive CORS policies (`allowed_origins = *`), debug tools like Laravel Telescope and Horizon left publicly accessible, and security headers (`X-Frame-Options`, `Strict-Transport-Security`) completely absent. According to security research, **78% of breaches involve misconfiguration**, not code vulnerabilities. Manual Laravel security checklists are time-consuming, error-prone, and often skipped under deployment pressure. Teams need **automated Laravel security baseline checks** that run in seconds and integrate seamlessly into CI/CD pipelines. ✨ The Solution: Automated Laravel Security Baseline Scanner ----------------------------------------------------------- [](#-the-solution-automated-laravel-security-baseline-scanner) **Laravel Secure Baseline** is a zero-configuration Laravel security audit tool that scans your application in seconds and produces actionable security findings. Run one Artisan command to validate environment configuration, session security, CORS policies, security headers, debug route exposure, and dependency versions against Laravel security best practices. No complex setup. No security expertise required. Just install the package, run `php artisan secure:scan`, and get a color-coded Laravel security report with **pass (βœ…)**, **warning (⚠️)**, and **fail (❌)** statuses. Export results as JSON, Markdown, HTML, or SARIF for GitHub Security integration. Perfect for local development, staging validation, and production deployment gates. πŸ™Œ Why Laravel Developers Use This Scanner ----------------------------------------- [](#-why-laravel-developers-use-this-scanner) - Built for CI: Add security checks to every pull request so misconfigurations never reach production. - Secure deploys: Enforce a repeatable security baseline before each release. - Actionable findings: Provide remediation steps tuned for Laravel 10/11. - Fits real pipelines: Works with GitHub Actions, GitLab CI, Jenkins, and self-hosted runners. - Production-ready: Flags debug routes, weak cookies, missing HTTPS headers, and outdated dependencies. --- πŸ“‹ Features ---------- [](#-features) ### πŸ” Comprehensive Laravel Security Checks [](#-comprehensive-laravel-security-checks) - βœ… **Configuration Audit** β€” `APP_DEBUG`, `APP_ENV`, `APP_KEY`, `APP_URL`, `LOG_LEVEL` - βœ… **Session & Cookie Security** β€” `SESSION_SECURE_COOKIE`, `SESSION_HTTP_ONLY`, `SESSION_SAME_SITE` - βœ… **CORS Policy Validation** β€” Detect wildcard origins, dangerous methods - βœ… **Security Headers** β€” `X-Frame-Options`, `HSTS`, `X-Content-Type-Options`, CSP - βœ… **Route Exposure Detection** β€” `/telescope`, `/horizon`, `/phpinfo`, debug endpoints - βœ… **Dependency Version Checks** β€” Laravel version, security patch warnings ### ⚑ Developer-Friendly Integration [](#-developer-friendly-integration) - πŸš€ **Zero Configuration** β€” Works out of the box - πŸ“Š **Multiple Export Formats** β€” JSON, Markdown, HTML, SARIF - πŸ”„ **CI/CD Ready** β€” GitHub Actions, GitLab CI, Jenkins - 🎯 **Flexible Fail Conditions** β€” `--fail-on=warning` or `--fail-on=fail` - 🧩 **Extensible Architecture** β€” Add custom security scanners - ⚑ **Lightning Fast** β€” Complete scan in < 5 seconds πŸ†š Laravel Security Scanner Comparison ------------------------------------- [](#-laravel-security-scanner-comparison) CapabilityLaravel Secure BaselineEnlightn (free)No scannerSetup time60 seconds (`composer require` + `php artisan secure:scan`)Requires config + accountN/ACI enforcementFails pipeline via `--fail-on`Limited in free tierNoneFocusEnv/config hardening for productionCode insights/performanceHope-and-prayConfig checks (APP\_DEBUG/APP\_KEY/headers)βœ”οΈPartial❌TelemetryNone (runs in your CI)SaaS telemetryN/AOutput formatsCLI, JSON, MD, HTML, SARIFDashboard + CLINone--- πŸš€ Quick Start: Secure Your Laravel App in 60 Seconds ---------------------------------------------------- [](#-quick-start-secure-your-laravel-app-in-60-seconds) ### Installation [](#installation) Install via Composer in your Laravel project: ``` # Install the package (dev dependency) composer require ind4skylivey/laravel-secure-baseline --dev # Optional: Publish configuration php artisan vendor:publish --tag=secure-baseline-config ``` ### Run Your First Laravel Security Scan [](#run-your-first-laravel-security-scan) ``` # Run a complete security audit php artisan secure:scan # Generate detailed report php artisan secure:report --format=html --output=security-report.html # Fail CI builds on warnings (strict mode) php artisan secure:scan --fail-on=warning --error-exit-code=1 ``` **That's it!** No configuration files to edit. No learning curve. Just instant Laravel security insights. --- πŸ“Š Example Output: Laravel Security Scan Results ----------------------------------------------- [](#-example-output-laravel-security-scan-results) ### Console Output (CLI) [](#console-output-cli) ``` $ php artisan secure:scan πŸ›‘οΈ Laravel Secure Baseline β€” Security Audit Report ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ βš™οΈ Configuration Security βœ… APP_KEY is set (32 characters) βœ… APP_DEBUG is disabled (production mode) βœ… APP_ENV set to 'production' ⚠️ LOG_LEVEL is 'debug' (recommended: 'error' or 'warning' in production) πŸͺ Session & Cookie Security βœ… SESSION_DRIVER is 'redis' (secure) ⚠️ SESSION_SECURE_COOKIE is false (set to true for HTTPS-only cookies) ⚠️ SESSION_SAME_SITE not set (recommended: 'lax' or 'strict') βœ… SESSION_HTTP_ONLY is true 🌐 CORS Configuration Audit ❌ CORS allowed_origins contains wildcard "*" (allows any origin) ⚠️ CORS allows all HTTP methods (PUT, DELETE exposed) ❌ CORS supports_credentials is true with wildcard origins (security risk) πŸ›‘οΈ Security Headers βœ… X-Frame-Options: SAMEORIGIN βœ… X-Content-Type-Options: nosniff ❌ Strict-Transport-Security header missing (HSTS required for HTTPS) ⚠️ Content-Security-Policy not configured πŸšͺ Debug Routes & Endpoint Exposure ❌ /telescope route is publicly accessible (GET, POST) β†’ No authentication middleware detected β†’ Recommendation: Add Gate authorization or disable in production βœ… /horizon route protected by authentication middleware βœ… No /phpinfo routes detected πŸ“¦ Laravel Framework & Dependencies βœ… Laravel 11.31.0 detected (up to date) ⚠️ Running PHP 8.1.12 (PHP 8.2+ recommended for security patches) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ πŸ“Š Summary: 9 passed β€’ 7 warnings β€’ 4 critical failures πŸ’‘ Recommendation: Fix critical failures before deploying to production. Run: php artisan secure:report --format=md for detailed remediation steps. ``` ### JSON Output (For Automation) [](#json-output-for-automation) ``` $ php artisan secure:scan --format=json | jq '.totals' { "pass": 9, "warning": 7, "fail": 4, "total": 20 } ``` --- πŸ“„ Example Markdown Report ------------------------- [](#-example-markdown-report) Running `php artisan secure:report --format=md` generates a detailed report: ``` # Laravel Security Baseline Report **Generated:** 2025-11-11 14:32 UTC **Application:** production **Laravel Version:** 11.31.0 ## 🎯 Executive Summary - βœ… **9 checks passed** β€” Good security baseline - ⚠️ **7 warnings** β€” Recommended improvements - ❌ **4 critical failures** β€” Require immediate action **Overall Risk Level:** HIGH β€” Production deployment not recommended --- ## ❌ Critical Failures (Must Fix) ### 1. CORS Wildcard Origins **Severity:** CRITICAL **Category:** CORS Configuration **Finding:** CORS `allowed_origins` is set to `["*"]`, allowing any website to make authenticated requests. **Risk:** Attackers can exfiltrate user data via malicious websites. **Remediation:** ```php // config/cors.php 'allowed_origins' => [ 'https://yourdomain.com', 'https://app.yourdomain.com', ], 'supports_credentials' => true, ``` ### 2. Laravel Telescope Publicly Accessible [](#2-laravel-telescope-publicly-accessible) **Severity:** CRITICAL **Category:** Debug Route Exposure **Finding:** `/telescope` route accessible without authentication in production. **Risk:** Exposes database queries, Redis commands, exceptions, and user sessions. **Remediation:** ``` // app/Providers/TelescopeServiceProvider.php protected function gate() { Gate::define('viewTelescope', fn ($user) => in_array($user->email, ['admin@yourdomain.com']) ); } ``` --- ⚠️ Warnings (Recommended) ------------------------- [](#️-warnings-recommended) ### Session Secure Cookie Flag [](#session-secure-cookie-flag) Set `SESSION_SECURE_COOKIE=true` in `.env` to prevent cookie transmission over HTTP. ### Missing HSTS Header [](#missing-hsts-header) Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` header via middleware. --- βœ… Passed Checks --------------- [](#-passed-checks) - APP\_KEY properly configured - APP\_DEBUG disabled in production - X-Frame-Options header set - No /phpinfo routes detected - Laravel framework up to date --- **Next Steps:** 1. Fix 4 critical failures 2. Review 7 warnings 3. Re-run scan: `php artisan secure:scan` 4. Deploy with confidence ``` --- ## βœ… Production Deployment Checklist for Secure Laravel Deployments - Run `php artisan secure:scan --fail-on=fail` before every release to enforce the Laravel security baseline. - Review CORS, session, and header findings to harden HTTPS and cookie handling for production. - Export SARIF or HTML reports for audit trails and attach them to deployment artifacts. - Enable Laravel CI security checks in your pipeline (GitHub Actions example below) to block risky builds automatically. - Confirm `APP_DEBUG=false`, strong `APP_KEY`, and restrictive `SESSION_SECURE_COOKIE` prior to tag creation. - Rerun after infrastructure changes (load balancers, CDN) to validate security headers and HTTPS redirects. ## Configuration ### Publishing Configuration ```bash php artisan vendor:publish --tag=secure-baseline-config ``` This creates `config/secure-baseline.php` where you can customize scanner behavior. ### Key Configuration Options [](#key-configuration-options) ```