Laravel provides strong defaults — but production security fails on custom code: missing policies, debug mode in prod, leaked .env, and unvalidated webhooks.
Checklist
- APP_DEBUG=false in production
- Policies on all resource routes
- Rate limiting on login and API
- Webhook signature verification
- Encrypted cookies and HTTPS only
- composer audit in CI
- Tenant scope tests for IDOR