关于Laravel 5.1安全性 [英] About Laravel 5.1 Security

问题描述

我是在Laravel 5.1中开发项目的新手

I'm newbie on developing projects in Laravel 5.1

我想学习如何避免安全风险. Laravel可以保护哪种攻击?而Laravel不安全的攻击方式是什么?

I want to learn the how can I avoid security risks. What kind of attacks are secured by Laravel? And what kind of attacks Laravel is not secure?

使用中间件是处理授权的好方法.

Using middleware is good way to handling authorizations.

我知道Laravel对于CSRF攻击是安全的.

And I know Laravel is secured for CSRF attacks.

我应该知道什么吗?那SQL注入呢. Laravel是否安全?

Is there any thing that should i know ? What about SQL Injection. Is Laravel secure or not?

推荐答案

简短答案

对于默认情况下的SQL注入，CSRF和XSS，Laravel 5.1受到了很好的保护.

The short answer

Laravel 5.1 is well secured what regards to SQL injection, CSRF and XSS per default.

我认为，您应该注意以下几点:

In my opinion, what you should be aware of:

1-不仅是Laravel负责您的Web应用程序安全，还包括其周围的环境.
    -应该正确且安全地配置Web服务器.
    -在您的域中使用SSL(证书)是一个优势.
    -仅使用SSH上的SFTP进行文件传输，并且仅使用SSH进行控制台连接.
    -使用受信任的提供程序和物理受保护的服务器环境.
    -定期备份文件和数据库，并将数据移出提供商服务器位置.
    -为SSH控制台，数据库或其他服务设置不同的用户名和密码.
    -对于SSH访问和数据库访问，请不要经常使用admin或root用户名，仅将其保留用于紧急用途，而应创建一个admin/root子帐户，然后使用该用户名.

1- It is not only Laravel alone that is responsible for your web application security, but the environment surrounding it.
    - Web server should be configured correctly and secure.
    - It is an advantage to SSL (Certificate) among your domain.
    - Do only use SFTP over SSH for file transfer and do only use SSH for console connection.
    - Use trusted provider and physically secured Server environment.
    - Backup your files and your database regularly and move the data out side your provider server location.
    - Make different username and password for SSH console, database or other services.
    - For SSH access and Database access, do not use admin or root username often, keep it only for emergency use, in stead create a sub admin/root account and use that in stead.

2-最重要的是，当您进一步开发Laravel时，可能会冒着执行错误编程的风险，这会破坏Laravel的默认安全规则.

2- Above all of that, when you further develop on your Laravel, you might risk performing bad programming which breaks the default security rules of Laravel.

因此，建议不要依靠默认安全性.在完成项目时，您需要进行自己的渗透测试，以确保一切正常并按计划进行.并遵循一些简单的安全规则，那么您将完全处于安全的一面.

Therefore, it is suggested not counting on default security. You need to do your own penetration test when your project is done to ensure every thing is working and secured as planned. And follow some of the simple security rules then you would perfectly be on the safe side.

我建议您查看有关 CSRF的链接并作为@ImtiazPabel评论

I suggest you to look at this link regarding CSRF and as @ImtiazPabel comments link.

最后，该链接很好检查:

Finally this link is good to check:

• https://www.owasp.org/index.php/Top_10_2013-Top_10
• https://www.owasp.org/index.php/OWASP_Proactive_Controls
• https://www.owasp.org/images/9/9b/OWASP_Top_10_Proactive_Controls_V2.pdf

• https://www.owasp.org/index.php/Top_10_2013-Top_10
• https://www.owasp.org/index.php/OWASP_Proactive_Controls
• https://www.owasp.org/images/9/9b/OWASP_Top_10_Proactive_Controls_V2.pdf

编辑
OP在评论中问:

EDIT
OP asked in comments:

我们可以说Request :: get($ data)绝对安全吗?

Can we say Request::get($data) is totaly safe?

Request::get($data)也是安全的.

注意
几个月前，我和其他3个人制作了一个原始项目来测量Laravel 5.1的安全级别，该项目成功通过，并且没有任何值得注意的评论.

Note
I and 3 other guys made a primitive project to measure the security level of Laravel 5.1 a few months back and it passed successfully with out any remarkable comments.

这篇关于关于Laravel 5.1安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！