I developed several Laravel applications and found that they are very safe in my eyes.
I did a lot of penetration tests, the OWASP ZAP scanner, sqlsus and 5+ tools, including bbqsql and similar things for tests on the DB handle, nmap for port scanning, then switched ZAP into attack mode to run various XSS and CSRF and did not find vulnerabilities from Laravel itself - just a couple of things from my server itself, which I secured.
Itβs important to say that no application is 100% safe, as it depends a lot on how you are doing.
However, Laravel does a pretty good job out of the box, protecting you from:
SQL Injection: If you use Eloquent queries, this will keep you safe. But you will be vulnerable if you use DB::raw() queries, since they can open you before the injection.
CSRF: Laravel will take care of this with the help of CSRF tokens, which it checks on each POST request, so make sure you use them, in essence this protects you from someone changing the nature of the request, i.e. from POST to GET .
XSS: clear user input first. Variables are not escaped using the blade syntax {!! !!} {!! !!} , which allows <?= e($foo) ?> inside your HTML code, while {{ }} avoids the data.
This is a fairly brief overview of Laravel security. Once you start opening files with file downloads, etc., it can be a little more complicated, additionally doing unsafe things in PHP.
In this article, it may be interesting to read here in order to proceed to the more detailed description above.
In short , I found that Laravel was protected from all the attacks I had ever carried out using Eloquent and sanitizing the input where necessary, as well as the proper use of blade server syntax and CSRF .