hoangnguyen0403/laravel-security
skills/laravel/laravel-security/SKILL.md
Harden Laravel apps with Policies for model authorization, Gate-based RBAC, validated mass assignment, and CSRF protection. Use when creating authorization policies, securing env config access, or preventing mass assignment vulnerabilities.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard laravel-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 3:35 AM186.0s3 files scanned
SKILL.md
- name:
- laravel-security
- description:
- Harden Laravel apps with Policies for model authorization, Gate-based RBAC, validated mass assignment, and CSRF protection. Use when creating authorization policies, securing env config access, or preventing mass assignment vulnerabilities.
Laravel Security
Priority: P0 (CRITICAL)
Workflow: Secure Resource
- Generate policy —
php artisan make:policy PostPolicy --model=Post. - Implement policy methods — Return
boolforview,update,deleteactions. - Authorize in controller — Call
$this->authorize('update', $post). - Add Gate bypass — Define
Gate::before()for admin users inAuthServiceProvider. - Validate inputs — Use Form Request with
$request->validated()forModel::create().
Policy Example
See implementation examples for Policy class with controller authorization.
Implementation Guidelines
Authorization & RBAC
- Policies: Always use
php artisan make:policy PostPolicy --model=Postfor model-level authorization. - Checkers: Implement
update(User $user, Post $post): booland call$this->authorize('update', $post)in controllers. - Gates: Use
Gate::define('admin', fn(User $user) => ...)for global permissions. Check withGate::allows('admin')or Blade@can('admin'). prefer Policies for model-bound checks; use Gates for global permissions. - Admin Bypass: Define
Gate::before(fn($u) => $u->isAdmin() ? true : null)inAuthServiceProvider.
Configuration & Environment
- Environment: Only call env() inside config/*.php files. Access via
config('app.key')in your application code. never env() in controllers; use config() instead. - Caching: Run
php artisan config:cacheto validate thatenv()isn't used where it shouldn't .
Data & Input Security
- Mass Assignment: Use Form Request with rules() and call $request->validated() for Model::create(). Define $fillable on model; never pass $request->all() to create().
- CSRF: Ensure @csrf directive in all Blade
<form>tags. active on web routes by default; use->except(['/webhook'])only for trusted third-party callbacks. - Role-Based Access: Use Policies with role checks in policy methods; define
Gate::beforefor admin bypass; or usespatie/laravel-permission; never inline $user->role === 'admin'.
Anti-Patterns
- No
env()outside config files: Access viaconfig()helper. - No custom auth logic: Use Laravel's built-in auth system.
- No unvalidated mass assignment: Always call
validated(). - No auth logic in Blade: Pass permissions as data from controller.
References
- Policy & Env Best Practices
Related Skills
hoangnguyen0403/common-software-requirements
development
VerifiedTrustedCommunity
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-business-requirements
development
VerifiedTrustedCommunity
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-tdd
development
VerifiedTrustedCommunity
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.
503SKILL.mdUpdated May 10, 2026
hoangnguyen0403/common-product-requirements
testing
VerifiedTrustedCommunity
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
503SKILL.mdUpdated May 10, 2026