Free Laravel Security Scanner
Scan your Laravel application for the most common production mistakes: exposed .env files, APP_DEBUG=true leaking stack traces, missing CSRF tokens, and outdated framework versions.
Scan My Laravel App — FreeNo signup · No credit card · Results in 30 seconds
What the scanner checks
Exposed .env file
Tests if /.env is accessible over HTTP — the single most common Laravel breach vector, exposing database credentials, APP_KEY, and API tokens.
APP_DEBUG in production
Detects if Laravel is running with APP_DEBUG=true, which leaks stack traces, environment variables, and database queries on error pages.
Ignition/Telescope exposed
Scans for exposed /telescope and Ignition debug endpoints that reveal database queries, jobs, cache contents, and session data.
CSRF token enforcement
Verifies that forms include @csrf tokens and that VerifyCsrfToken middleware is active on POST/PUT/DELETE routes.
Session cookie security
Checks laravel_session cookie for Secure, HttpOnly, and SameSite flags. Flags weak SESSION_SECURE_COOKIE config in production.
Composer package vulnerabilities
Identifies detectable PHP framework versions and maps them to known CVEs from the PHP Security Advisory Database.
Laravel's #1 Security Issue Is Configuration, Not Code
Laravel is a secure framework by design, but almost every Laravel breach starts with the same mistake: an exposed .env file in the webroot. Attackers crawl millions of URLs looking for /.env, and a single hit reveals database passwords, APP_KEY, AWS credentials, and API tokens.
The second most common issue is APP_DEBUG=true in production. Laravel's debug mode shows full stack traces including environment variables — effectively giving attackers the same information as an exposed .env file. Our scanner tests for both, plus exposed Telescope/Ignition endpoints, missing CSRF protection, and insecure session cookies.
Frequently Asked Questions
How do I protect .env in a Laravel app?
Never put Laravel's document root at the project root. Point your webserver to the /public directory so files like .env, composer.json, and artisan are outside the web-accessible path. Additionally, deny access to dotfiles in your Nginx or Apache config.
Why is APP_DEBUG=true dangerous in production?
With APP_DEBUG=true, any unhandled exception shows a full stack trace with environment variables, database queries, and file paths. Attackers intentionally trigger errors to extract secrets. Always set APP_DEBUG=false in production and use proper logging.
Is Laravel Telescope safe to expose?
No. Laravel Telescope shows all database queries, cache operations, jobs, HTTP requests, and session data. It should never be exposed in production. Either disable it entirely or restrict access with middleware and strong authentication.
Does Laravel provide CSRF protection by default?
Yes, via the VerifyCsrfToken middleware in the web middleware group. You must include @csrf in every form. API routes use Sanctum or token-based auth instead. Our scanner verifies CSRF tokens are present on HTML forms.
How do I secure session cookies in Laravel?
Set SESSION_SECURE_COOKIE=true in .env to require HTTPS, SESSION_HTTP_ONLY=true to block JavaScript access, and SESSION_SAME_SITE=lax to prevent CSRF. Laravel defaults to safe values, but they must be enabled for production.
Lock down your Laravel deployment
Free, instant, no signup. Detailed vulnerability report with fix instructions.
Run Free Laravel Scan