Interview Questions
CSRF (Cross-Site Request Forgery) protection in Laravel automatically generates and validates tokens for each active user session. It's implemented through the VerifyCsrfToken middleware and @csrf Blade directive in forms.
Laravel provides XSS (Cross-Site Scripting) protection by automatically escaping output using {{ }} Blade syntax. HTML entities are converted to prevent script injection. Use {!! !!} for trusted content that needs to render HTML.
Laravel prevents SQL injection using PDO parameter binding in the query builder and Eloquent ORM. Query parameters are automatically escaped. Never concatenate strings directly into queries.
Laravel automatically hashes passwords using the Hash facade and bcrypt or Argon2 algorithms. Never store plain-text passwords. Password hashing is handled by the HashedAttributes trait in the User model.
Signed routes are URLs with a signature that ensures they haven't been modified. Created using URL::signedRoute() or URL::temporarySignedRoute(). Useful for email verification or temporary access links.
Laravel sets HTTP-only flag on cookies by default to prevent JavaScript access. Session cookies are automatically HTTP-only. Config can be modified in config/session.php.
Mass assignment protection prevents unintended attribute modification through $fillable and $guarded properties in models. Attributes must be explicitly marked as fillable to allow mass assignment.
Laravel includes security headers through middleware. Headers like X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options are set by default. Additional headers can be added via middleware.
Laravel provides encryption using the Crypt facade. Data is encrypted using OpenSSL and AES-256-CBC. Encryption key is stored in .env file. All encrypted values are signed to prevent tampering.
Laravel secures sessions using encrypted cookies, CSRF protection, and secure configuration options. Sessions can be stored in various drivers (file, database, Redis). Session IDs are regularly rotated.
Rate limiting uses the throttle middleware with configurable attempt counts and time windows. Can limit by IP, user ID, or custom parameters. Supports Redis for distributed applications.
Secure file uploads by validating file types, size limits, and scanning for malware. Store files outside webroot. Use Storage facade for safe file operations. Implement proper permissions.
API authentication uses tokens, OAuth, or JWT. Laravel provides Passport and Sanctum for API auth. Supports multiple authentication guards and token abilities.
2FA can be implemented using packages or custom solutions. Support TOTP, SMS, or email verification. Handle backup codes and device remembering. Integrate with authentication flow.
Implement password policies using validation rules. Check length, complexity, history. Handle password expiration and rotation. Support password strength indicators.
RBAC implements authorization using roles and permissions. Can use built-in Gates and Policies or packages like Spatie Permissions. Support hierarchical roles and permission inheritance.
Audit logging tracks user actions and changes. Use model events, observers, or packages. Log authentication attempts, data modifications. Support audit trail review and reporting.
CORS (Cross-Origin Resource Sharing) is handled through middleware. Configure allowed origins, methods, headers. Support preflight requests. Handle credentials and caching.
Secure downloads using signed URLs or tokens. Validate user permissions. Handle file streaming and range requests. Implement download tracking and rate limiting.
Request validation ensures input safety. Use Form Requests, validation rules. Handle file uploads securely. Prevent mass assignment vulnerabilities. Sanitize input data.
Advanced rate limiting using multiple strategies. Support token bucket, leaky bucket algorithms. Handle distributed rate limiting. Implement custom response headers.
Custom security headers middleware. Configure CSP, HSTS policies. Handle subresource integrity. Implement feature policies. Support header reporting.
Create custom encryption providers. Support different algorithms. Handle key rotation. Implement encryption at rest. Support HSM integration.
Implement full OAuth2 server using Passport. Handle all grant types. Support scope validation. Implement token management. Handle client credentials.
Security event monitoring and alerting. Track suspicious activities. Implement IDS/IPS features. Handle security incident response. Support forensics.
Custom session handlers. Implement session encryption. Handle session fixation. Support session persistence. Implement session cleanup.
Secure API key generation and storage. Handle key rotation and revocation. Implement key permissions. Support multiple key types. Handle key distribution.
Implement security standards compliance (GDPR, HIPAA). Handle data privacy requirements. Support security audits. Implement compliance reporting.
Secure WebSocket authentication and authorization. Handle connection encryption. Implement message validation. Support secure broadcasting.
Security testing framework implementation. Vulnerability scanning integration. Penetration testing support. Security test automation. Compliance testing.