Laravel is a popular open-source web application framework written in PHP, and it is supported by many developers due to its security and convenience.

Below are the basic guidelines for configuring secure permissions in Laravel. The key point is to ensure that files and directories are properly protected, the application functions correctly, and unnecessary risks are eliminated.

This article provides a detailed explanation of secure permission settings and security considerations for Laravel.

Contents
  1. Basic Principles of Permissions
  2. Directory Permissions
  3. File Permissions
  4. Owner and Group Settings
  5. Specific Security Notes
  6. Security Considerations

Basic Principles of Permissions

File and directory permissions control access to resources at the operating system level. In general, UNIX-based operating systems have three categories: user, group, and others. For each category, three types of actions are defined: read, write, and execute.

The three digits in a permission setting represent these access levels. For example, a permission of 755 means that the owner is allowed all actions (7), while group members and other users do not have write permission (5 and 5).

Directory Permissions

storage and bootstrap/cache: Make these writable by the web server. 755 or 775 is recommended.

chmod -R 775 storage bootstrap/cache

 
Other directories: 755 is generally recommended.

find directory_name -type d -exec chmod 755 {} \;

File Permissions

Generally, use 644.

find directory_name -type f -exec chmod 644 {} \;

Owner and Group Settings

Set the owner of files and directories to the web server user (www-data, nginx, apache, etc.).

chown -R www-data:www-data /path-to-your-laravel-project

Specific Security Notes

SSH Key Permissions

Apply permissions of 600.

chmod 600 ~/.ssh/id_rsa

.env File Permissions

Use the minimum permissions that allow the web server to read the file. Typically, 644 is appropriate.

Also, make sure that APP_KEY is set in the .env file. This can be generated using the php artisan key:generate command.

Configuration of Non-Public Files

Files containing application configuration or database credentials should be placed outside the web root and protected from public access.

Security Considerations

Firewall Configuration

Block unnecessary ports and allow access only to the minimum required services.

Database Connections

Database information is stored in the .env file, but to avoid unnecessary remote connections, allow database access only from localhost whenever possible.

Use of HTTPS

Encrypting communication using SSL/TLS reduces the risk of data being intercepted over the network. Let’s Encrypt provides free SSL certificates.

Disabling Directory Listing

Check whether the web server allows directory listing and disable it if possible. This prevents users from viewing the contents of directories.

Use of CSP Headers

Use Content Security Policy (CSP) headers to control which domains a web page can load resources from.

 
 
Use these guidelines to strengthen the security of your Laravel application and protect it from common security risks. No security measure can guarantee 100% protection, but applying these practices will help you avoid many common issues.

 
 
※Please use this information at your own risk if you choose to reuse it.

Laravel Permission Laravel Secure