Rules Reference

📝 Security Rules Reference

Laravel Safeguard includes comprehensive security rules organized by category. Each rule can be enabled/disabled in your configuration and provides specific security validations for your Laravel application.

🔐 Environment & Configuration Rules

app-debug-false-in-production

Purpose: Ensures APP_DEBUG is disabled in production environments
Severity: 🚨 Critical
Environments: production, staging

Debug mode in production can expose sensitive information including stack traces, environment variables, and internal application structure.

// ✅ Good - Production configuration
APP_DEBUG=false

// ❌ Bad - Debug enabled in production
APP_DEBUG=true

Configuration:

'app-debug-false-in-production' => true,

app-key-is-set

Purpose: Verifies that Laravel application key is generated
Severity: 🚨 Critical
Environments: all

The application key is used for encrypting sessions, cookies, and other sensitive data. Without it, your application is vulnerable to security attacks.

# Generate application key if missing
php artisan key:generate

Configuration:

'app-key-is-set' => true,

env-has-all-required-keys

Purpose: Validates all required environment variables are present
Severity: ❌ Error
Environments: all

Ensures all critical environment variables are defined to prevent application errors and security misconfigurations.

Configuration:

'env-has-all-required-keys' => true,

// Define required variables
'required_env_vars' => [
    'APP_KEY',
    'APP_ENV',
    'APP_DEBUG',
    'APP_URL',
    'DB_CONNECTION',
    'DB_HOST',
    'DB_DATABASE',
    'DB_USERNAME',
    'DB_PASSWORD',
    'MAIL_MAILER',
    'SESSION_DRIVER',
],

no-secrets-in-code

Purpose: Detects hardcoded secrets in your codebase
Severity: 🚨 Critical
Environments: all

Scans your codebase for hardcoded secrets, API keys, passwords, and other sensitive information that should be in environment variables.

Common patterns detected:

• $apiKey = 'sk_live_...'
• 'password' => 'hardcoded123'
• AWS_ACCESS_KEY = 'AKIA...'
• define('SECRET_KEY', 'abc123');

Configuration:

'no-secrets-in-code' => true,

// Customize patterns to detect
'secret_patterns' => [
    '*_KEY',
    '*_SECRET',
    '*_TOKEN',
    '*_PASSWORD',
    'API_*',
    'AWS_*',
    'STRIPE_*',
],

🛡️ Security Rules

csrf-enabled

Purpose: Ensures CSRF protection is enabled
Severity: 🚨 Critical
Environments: all

Cross-Site Request Forgery protection prevents malicious websites from performing actions on behalf of authenticated users.

Configuration:

'csrf-enabled' => true,

Checks:

• VerifyCsrfToken middleware is active
• CSRF tokens are properly generated
• Web routes are protected

composer-package-security

Purpose: Validates composer packages for known security vulnerabilities
Severity: ❌ Error
Environments: all

Scans your composer.lock file for packages with known security vulnerabilities and recommends updates.

Configuration:

'composer-package-security' => true,

secure-cookies-in-production

Purpose: Ensures cookies are secure in production
Severity: 🚨 Critical
Environments: production, staging

Validates that cookies have proper security flags set in production environments.

Configuration:

'secure-cookies-in-production' => true,

Checks:

• SESSION_SECURE_COOKIE=true in production
• SESSION_SAME_SITE properly configured
• SESSION_HTTP_ONLY=true

https-enforced-in-production

Purpose: Verifies HTTPS is enforced in production
Severity: 🚨 Critical
Environments: production

Ensures all traffic is encrypted with HTTPS in production environments.

Configuration:

'https-enforced-in-production' => true,

📁 File System Security Rules

env-file-permissions

Purpose: Ensures .env file has proper permissions
Severity: 🚨 Critical
Environments: production, staging

Checks that .env files are not world-readable and contain sensitive configuration data.

Configuration:

'env-file-permissions' => true,

Recommended permissions:

# Correct permissions (600 = owner read/write only)
chmod 600 .env

# Incorrect permissions (644 = world readable)
chmod 644 .env  # ❌ Avoid this

sensitive-files-hidden

Purpose: Validates that sensitive files are not web-accessible
Severity: ❌ Error
Environments: all

Ensures sensitive files cannot be accessed directly via web requests.

Configuration:

'sensitive-files-hidden' => true,

'sensitive_files' => [
    '.env',
    '.env.example',
    'composer.json',
    'composer.lock',
    'package.json',
    'artisan',
    'phpunit.xml',
    'README.md',
],

storage-writable

Purpose: Verifies storage directories are writable
Severity: ❌ Error
Environments: all

Ensures Laravel can write to required directories for logs, cache, and sessions.

Configuration:

'storage-writable' => true,

🗄️ Database Security Rules

database-connection-encrypted

Purpose: Verifies that database connections use SSL/TLS encryption
Severity: 🚨 Critical
Environments: production, staging

Ensures database connections are encrypted in transit to protect sensitive data.

Configuration:

'database-connection-encrypted' => true,

Example secure database configuration:

// config/database.php
'mysql' => [
    'driver' => 'mysql',
    'host' => env('DB_HOST'),
    // ... other config
    'options' => [
        PDO::MYSQL_ATTR_SSL_CA => env('MYSQL_ATTR_SSL_CA'),
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
    ],
],

database-credentials-not-default

Purpose: Checks for default or weak database credentials
Severity: 🚨 Critical
Environments: all

Validates that database passwords are not empty, default, or commonly used weak passwords.

Configuration:

'database-credentials-not-default' => true,

Common issues detected:

• Empty passwords
• Username/password combinations like root/root
• Default MySQL passwords
• Common weak passwords

database-backup-security

Purpose: Validates database backup security configuration
Severity: ❌ Error
Environments: production

Checks backup encryption, access controls, and retention policies.

Configuration:

'database-backup-security' => true,

database-query-logging

Purpose: Ensures database query logging is properly configured
Severity: ⚠️ Warning
Environments: all

Validates query logging settings for security monitoring and debugging.

Configuration:

'database-query-logging' => true,

🔑 Authentication Security Rules

password-policy-compliance

Purpose: Verifies that password policy configuration meets security standards
Severity: 🚨 Critical
Environments: all

Checks password requirements including length, complexity, and validation rules.

Configuration:

'password-policy-compliance' => true,

Validates:

• Minimum password length (recommended: 8+ characters)
• Password complexity requirements
• Password history prevention
• Account lockout policies

two-factor-auth-enabled

Purpose: Validates two-factor authentication configuration
Severity: ⚠️ Warning
Environments: production

Ensures 2FA is properly configured for enhanced security.

Configuration:

'two-factor-auth-enabled' => true,

session-security-settings

Purpose: Validates session security configuration
Severity: ❌ Error
Environments: production, staging

Checks session lifetime, security flags, and storage configuration.

Configuration:

'session-security-settings' => true,

Validates:

• Session lifetime configuration
• Session storage security
• Session regeneration policies
• Session cookie security flags

🔒 Encryption Security Rules

encryption-key-rotation

Purpose: Validates encryption key management and rotation policies
Severity: ⚠️ Warning
Environments: production

Checks for proper key rotation practices and provides recommendations.

Configuration:

'encryption-key-rotation' => true,

sensitive-data-encryption

Purpose: Ensures sensitive data is properly encrypted
Severity: 🚨 Critical
Environments: all

Validates encryption of sensitive database fields and stored data.

Configuration:

'sensitive-data-encryption' => true,

📊 Rule Severity Levels

🚨 Critical

Issues that pose immediate security risks and must be fixed before production deployment. These are deal-breakers that can expose your application to serious attacks.

Examples:

• Debug mode enabled in production
• Missing application key
• Hardcoded secrets in code

❌ Error

Important security issues that should be addressed but may not prevent deployment in all cases. These reduce your security posture significantly.

Examples:

• Missing required environment variables
• Weak database credentials
• Insecure file permissions

⚠️ Warning

Recommendations for improved security posture. These are best practices that enhance security but aren't critical vulnerabilities.

Examples:

• Missing 2FA configuration
• Suboptimal session settings
• Encryption key rotation reminders

ℹ️ Info

Informational messages about security configuration that provide helpful context or recommendations.

Examples:

• Configuration optimization suggestions
• Security best practice reminders
• Performance impact notifications

🌍 Environment-Specific Rules

Configure different rules for different environments to balance security with development productivity:

'environments' => [
    'production' => [
        // Strict security rules for production
        'app-debug-false-in-production',
        'app-key-is-set',
        'env-file-permissions',
        'database-connection-encrypted',
        'database-credentials-not-default',
        'password-policy-compliance',
        'encryption-key-rotation',
        'secure-cookies-in-production',
        'https-enforced-in-production',
    ],
    'staging' => [
        // Production-like but slightly relaxed
        'app-debug-false-in-production',
        'csrf-enabled',
        'database-connection-encrypted',
        'app-key-is-set',
    ],
    'local' => [
        // Development-friendly rules
        'app-key-is-set',
        'env-has-all-required-keys',
        'csrf-enabled',
        'storage-writable',
    ],
],

🧪 Testing Specific Rules

Test individual rules in isolation for debugging and validation:

# Test a specific rule
php artisan safeguard:test-rule app-debug-false-in-production

# Test multiple rules
php artisan safeguard:test-rule app-key-is-set csrf-enabled

# Test all rules for an environment
php artisan safeguard:test-environment production

# Get detailed output for a rule
php artisan safeguard:test-rule no-secrets-in-code --verbose

🏗️ Custom Rule Categories

When creating custom rules, consider organizing them by these categories:

Authentication & Authorization

• Password policies
• Session management
• User permissions
• Role-based access control

Data Protection

• Encryption settings
• Database security
• File upload validation
• PII handling

External Services

• API security
• Third-party integrations
• OAuth configurations
• Webhook security

Infrastructure

• Server configuration
• Network security
• Monitoring setup
• Logging configuration

Compliance

• GDPR requirements
• PCI-DSS compliance
• HIPAA compliance
• Industry-specific regulations

📋 Security Checklist

Use this checklist to ensure comprehensive security coverage:

🔐 Essential Rules (Enable First)

• app-key-is-set
• app-debug-false-in-production
• csrf-enabled
• no-secrets-in-code

🛡️ Production Rules

• secure-cookies-in-production
• https-enforced-in-production
• env-file-permissions
• database-connection-encrypted

🔑 Authentication Rules

• password-policy-compliance
• session-security-settings
• two-factor-auth-enabled (if applicable)

📁 File System Rules

• storage-writable
• sensitive-files-hidden

🗄️ Database Rules

• database-credentials-not-default
• database-backup-security

🎯 Best Practices

1. 🚀 Start with Critical Rules: Enable all critical (🚨) rules first
2. 🌍 Environment-Specific: Use different rule sets per environment
3. 📅 Regular Reviews: Periodically review and update your rule configuration
4. 🏗️ Custom Rules: Create rules specific to your application's security requirements
5. 📖 Documentation: Document any custom or disabled rules for your team
6. 🔄 Continuous Integration: Include security checks in your CI/CD pipeline
7. 👥 Team Training: Ensure your team understands the purpose of each rule

📚 Related Documentation

• 🏗️ Custom Rules Guide - Create your own security rules
• 🌍 Environment Rules - Configure per-environment rule sets
• ⚙️ Configuration Reference - Complete configuration options
• 🚀 CI/CD Integration - Automate security checks
• 💡 Examples Collection - Real-world usage examples

---

Next Step: 🏗️ Learn to create custom security rules

🏠 Home | ⚡ Quick Start | ⚙️ Configuration | 🏗️ Custom Rules