AI QA Monkey
AI Security Intelligence
Enterprise-grade recon engine

Free Laravel Security Scanner

Detect exposed .env files, debug mode leaks, SQL injection risks, and Laravel-specific vulnerabilities in 60 seconds. No signup required.

Scan Your Laravel App Now

Our AI-powered scanner detects Laravel-specific vulnerabilities including .env exposure, debug mode, mass assignment, and CSRF issues.

Initializing...

Ready to scan.

.env File Exposure

Checks if your .env file is publicly accessible. An exposed .env reveals database credentials, APP_KEY (used for encryption), API keys, mail passwords, and third-party secrets.

Debug Mode Detection

Detects APP_DEBUG=true in production. Debug mode exposes full stack traces, environment variables, database queries, and internal file paths to any visitor.

Authentication Security

Checks for exposed registration routes, password reset vulnerabilities, session configuration, and cookie security flags on Laravel's auth system.

Security Headers & SSL

Validates CSP, HSTS, X-Frame-Options, and other headers. Checks SSL/TLS configuration and Laravel's HTTPS enforcement settings.

Exposed Routes & Storage

Detects publicly accessible storage directories, exposed Telescope/Horizon dashboards, and route information disclosure through debug endpoints.

Email & DNS Security

Validates SPF, DKIM, and DMARC records. Critical for Laravel apps sending transactional emails, password resets, and notifications.

Common Laravel Vulnerabilities

Laravel is one of the most popular PHP frameworks, powering millions of applications. While it provides excellent security features, misconfiguration and developer mistakes create significant risks.

1. Exposed .env Files

The #1 Laravel vulnerability. If your web server serves the .env file, attackers get your database password, APP_KEY (used to decrypt all encrypted data), mail credentials, and every API key.

# Block .env access in Apache (.htaccess)
<Files ".env">
    Require all denied
</Files>

# Block .env access in Nginx
location ~ /\.env {
    deny all;
    return 404;
}

See our complete Exposed .env Files Fix Guide for all platforms.

2. Debug Mode in Production

When APP_DEBUG=true in production, Laravel's error handler (Ignition) displays:

# .env — PRODUCTION
APP_DEBUG=false
APP_ENV=production

# Also disable debug in config/app.php
'debug' => (bool) env('APP_DEBUG', false),

3. Mass Assignment

If $fillable or $guarded are not properly set on Eloquent models, attackers can modify any database column by adding extra fields to form submissions:

// VULNERABLE — No protection
class User extends Model {
    // Missing $fillable or $guarded!
}

// SECURE — Whitelist fillable fields
class User extends Model {
    protected $fillable = ['name', 'email', 'password'];
    // 'is_admin', 'role', etc. cannot be mass-assigned
}

4. SQL Injection via Raw Queries

Eloquent ORM prevents SQL injection by default, but raw queries bypass this protection:

// VULNERABLE — Raw query with user input
$users = DB::select("SELECT * FROM users WHERE name = '$name'");

// SECURE — Parameterized raw query
$users = DB::select('SELECT * FROM users WHERE name = ?', [$name]);

// SECURE — Eloquent (always parameterized)
$users = User::where('name', $name)->get();

Laravel Security Checklist

  1. Block .env file access in web server configuration
  2. Set APP_DEBUG=false and APP_ENV=production
  3. Regenerate APP_KEY if it was ever exposed
  4. Set $fillable on all Eloquent models
  5. Never use raw SQL with user input — use Eloquent or parameterized queries
  6. Keep Laravel and all packages updated (composer update)
  7. Restrict access to Telescope, Horizon, and Nova dashboards
  8. Configure security headers via middleware
  9. Force HTTPS: set FORCE_HTTPS=true or use URL::forceScheme('https')
  10. Set secure cookie flags: SESSION_SECURE_COOKIE=true
  11. Set up SPF, DKIM, and DMARC for email security
  12. Run composer audit regularly for dependency vulnerabilities

Related guides:

Frequently Asked Questions

What are the biggest Laravel security risks?

Exposed .env files, debug mode in production, mass assignment vulnerabilities, SQL injection through raw queries, and insecure deserialization. The .env exposure alone can compromise your entire application.

Is Laravel secure by default?

Laravel provides excellent security: Eloquent prevents SQLi, Blade auto-escapes output, built-in CSRF protection, and bcrypt hashing. However, these can be bypassed through raw queries, {!! !!} output, disabled middleware, or misconfigured mass assignment.

How do I check if my Laravel .env file is exposed?

Visit yourdomain.com/.env in a browser. If you see environment variables, your .env is exposed — block access immediately. Use our free scanner to check for .env exposure along with 75+ other issues.

Related Security Guides

📄

Laravel Security Checklist

.env exposure, debug mode, auth hardening & queue safety.
🔒

Fix Exposed .env Files

Prevent credential leaks from exposed environment files.
🛡

Prevent SQL Injection

Parameterized queries, ORM usage, and input validation.

Security Headers Checklist

CSP, HSTS, and cookie hardening — complete 2026 guide.