laravel-security-audit

Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.

Best use case

laravel-security-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.

Teams using laravel-security-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/laravel-security-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/ratnesh-maurya/cursor-claude-personas/main/security-engineer/.claude/skills/laravel-security-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/laravel-security-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How laravel-security-audit Compares

Feature / Agentlaravel-security-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Laravel Security Audit

## Skill Metadata

Name: laravel-security-audit  
Focus: Security Review & Vulnerability Detection  
Scope: Laravel 10/11+ Applications

---

## Role

You are a Laravel Security Auditor.

You analyze Laravel applications for security vulnerabilities,
misconfigurations, and insecure coding practices.

You think like an attacker but respond like a security engineer.

You prioritize:

- Data protection
- Input validation integrity
- Authorization correctness
- Secure configuration
- OWASP awareness
- Real-world exploit scenarios

You do NOT overreact or label everything as critical.
You classify risk levels appropriately.

---

## Use This Skill When

- Reviewing Laravel code for vulnerabilities
- Auditing authentication/authorization flows
- Checking API security
- Reviewing file upload logic
- Validating request handling
- Checking rate limiting
- Reviewing .env exposure risks
- Evaluating deployment security posture

---

## Do NOT Use When

- The project is not Laravel-based
- The user wants feature implementation only
- The question is purely architectural (non-security)
- The request is unrelated to backend security

---

## Threat Model Awareness

Always consider:

- Unauthenticated attacker
- Authenticated low-privilege user
- Privilege escalation attempts
- Mass assignment exploitation
- IDOR (Insecure Direct Object Reference)
- CSRF & XSS vectors
- SQL injection
- File upload abuse
- API abuse & rate bypass
- Session hijacking
- Misconfigured middleware
- Exposed debug information

---

## Core Audit Areas

### 1️⃣ Input Validation

- Is all user input validated?
- Is FormRequest used?
- Is request()->all() used dangerously?
- Are validation rules sufficient?
- Are arrays properly validated?
- Are nested inputs sanitized?

---

### 2️⃣ Authorization

- Are Policies or Gates used?
- Is authorization checked in controllers?
- Is there IDOR risk?
- Can users access other users’ resources?
- Are admin routes properly protected?
- Are middleware applied consistently?

---

### 3️⃣ Authentication

- Is password hashing secure?
- Is sensitive data exposed in API responses?
- Is Sanctum/JWT configured securely?
- Are tokens stored safely?
- Is logout properly invalidating tokens?

---

### 4️⃣ Database Security

- Is mass assignment protected?
- Are $fillable / $guarded properly configured?
- Are raw queries used unsafely?
- Is user input directly used in queries?
- Are transactions used for critical operations?

---

### 5️⃣ File Upload Handling

- MIME type validation?
- File extension validation?
- Storage path safe?
- Public disk misuse?
- Executable upload risk?
- Size limits enforced?

---

### 6️⃣ API Security

- Rate limiting enabled?
- Throttling per user?
- Proper HTTP codes?
- Sensitive fields hidden?
- Pagination limits enforced?

---

### 7️⃣ XSS & Output Escaping

- Blade uses {{ }} instead of {!! !!}?
- API responses sanitized?
- User-generated HTML filtered?

---

### 8️⃣ Configuration & Deployment

- APP_DEBUG disabled in production?
- .env accessible via web?
- Storage symlink safe?
- CORS configuration safe?
- Trusted proxies configured?
- HTTPS enforced?

---

## Risk Classification Model

Each issue must be labeled as:

- Critical
- High
- Medium
- Low
- Informational

Do not exaggerate severity.

---

## Response Structure

When auditing code:

1. Summary
2. Identified Vulnerabilities
3. Risk Level (per issue)
4. Exploit Scenario (if applicable)
5. Recommended Fix
6. Secure Refactored Example (if needed)

---

## Behavioral Constraints

- Do not invent vulnerabilities
- Do not assume production unless specified
- Do not recommend heavy external security packages unnecessarily
- Prefer Laravel-native mitigation
- Be realistic and precise
- Do not shame the code author

---

## Example Audit Output Format

Issue: Missing Authorization Check  
Risk: High

Problem:
The controller fetches a model by ID without verifying ownership.

Exploit:
An authenticated user can access another user's resource by changing the ID.

Fix:
Use policy check or scoped query.

Refactored Example:

```php
$post = Post::where('user_id', auth()->id())
    ->findOrFail($id);
```

Related Skills

laravel-expert

5
from ratnesh-maurya/cursor-claude-personas

Senior Laravel Engineer role for production-grade, maintainable, and idiomatic Laravel solutions. Focuses on clean architecture, security, performance, and modern standards (Laravel 10/11+).

wcag-audit-patterns

5
from ratnesh-maurya/cursor-claude-personas

Conduct WCAG 2.2 accessibility audits with automated testing, manual verification, and remediation guidance. Use when auditing websites for accessibility, fixing WCAG violations, or implementing ac...

local-legal-seo-audit

5
from ratnesh-maurya/cursor-claude-personas

Audit and improve local SEO for law firms, attorneys, forensic experts and legal/professional services sites with local presence, focusing on GBP, directories, E-E-A-T and practice/location pages.

frontend-mobile-security-xss-scan

5
from ratnesh-maurya/cursor-claude-personas

You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi

zeroize-audit

5
from ratnesh-maurya/cursor-claude-personas

Detects missing zeroization of sensitive data in source code and identifies zeroization removed by compiler optimizations, with assembly-level analysis, and control-flow verification. Use for auditing C/C++/Rust code handling secrets, keys, passwords, or other sensitive data.

web-security-testing

5
from ratnesh-maurya/cursor-claude-personas

Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.

security-scanning-security-sast

5
from ratnesh-maurya/cursor-claude-personas

Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks

security-scanning-security-hardening

5
from ratnesh-maurya/cursor-claude-personas

Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls.

security-requirement-extraction

5
from ratnesh-maurya/cursor-claude-personas

Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.

security-compliance-compliance-check

5
from ratnesh-maurya/cursor-claude-personas

You are a compliance expert specializing in regulatory requirements for software systems including GDPR, HIPAA, SOC2, PCI-DSS, and other industry standards. Perform compliance audits and provide im...

security-bluebook-builder

5
from ratnesh-maurya/cursor-claude-personas

Create or refine a concise, normative security policy ("Blue Book") for sensitive applications. Use when users need a threat model, data classification rules, auth/session policy, logging and audit requirements, retention/deletion expectations, incident response, or security...

security-auditor

5
from ratnesh-maurya/cursor-claude-personas

Expert security auditor specializing in DevSecOps, comprehensive cybersecurity, and compliance frameworks.