> laravel-security
Harden Laravel apps with Policies for model authorization, Gate-based RBAC, validated mass assignment, and CSRF protection. Use when creating authorization policies, securing env config access, or preventing mass assignment vulnerabilities. (triggers: app/Policies/**/*.php, config/*.php, policy, gate, authorize, env, config)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/laravel-security?format=md"Laravel Security
Priority: P0 (CRITICAL)
Workflow: Secure a Resource
- Generate policy —
php artisan make:policy PostPolicy --model=Post. - Implement policy methods — Return
boolforview,update,deleteactions. - Authorize in controller — Call
$this->authorize('update', $post). - Add Gate bypass — Define
Gate::before()for admin users inAuthServiceProvider. - Validate inputs — Use Form Request with
$request->validated()forModel::create().
Policy Example
See implementation examples for Policy class with controller authorization.
Implementation Guidelines
Authorization & RBAC
- Policies: Always use
php artisan make:policy PostPolicy --model=Postfor model-level authorization. - Checkers: Implement
update(User $user, Post $post): booland call$this->authorize('update', $post)in controllers. - Gates: Use
Gate::define('admin', fn(User $user) => ...)for global permissions. Check withGate::allows('admin')or Blade@can('admin'). prefer Policies for model-bound checks; use Gates for global permissions. - Admin Bypass: Define
Gate::before(fn($u) => $u->isAdmin() ? true : null)inAuthServiceProvider.
Configuration & Environment
- Environment: Only call env() inside config/*.php files. Access via
config('app.key')in your application code. never env() in controllers; use config() instead. - Caching: Run
php artisan config:cacheto validate thatenv()isn't used where it shouldn't be.
Data & Input Security
- Mass Assignment: Use Form Request with rules() and call $request->validated() for Model::create(). Define $fillable on model; never pass $request->all() to create().
- CSRF: Ensure the @csrf directive is in all Blade
<form>tags. active on web routes by default; use->except(['/webhook'])only for trusted third-party callbacks. - Role-Based Access: Use Policies with role checks in policy methods; define
Gate::beforefor admin bypass; or usespatie/laravel-permission; never inline $user->role === 'admin'.
Anti-Patterns
- No
env()outside config files: Access viaconfig()helper. - No custom auth logic: Use Laravel's built-in auth system.
- No unvalidated mass assignment: Always call
validated(). - No auth logic in Blade: Pass permissions as data from controller.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)