Security Is Architecture
Security isn't a feature you add at the end—it's an architectural concern that affects every layer of your system. Defense in depth means multiple layers of protection, so a breach in one doesn't compromise everything.
Authentication Layer
// Multi-factor authentication
class LoginController
{
public function login(Request $request): Response
{
if (Auth::attempt($request->only('email', 'password'))) {
if ($request->user()->mfa_enabled) {
return redirect('mfa/verify');
}
return redirect('dashboard');
}
return back()->withErrors(['email' => 'Invalid credentials']);
}
}
// Session security
'session' => [
'lifetime' => 120,
'expire_on_close' => true,
'encrypt' => true,
'secure' => true,
'http_only' => true,
'same_site' => 'strict',
],Authorization Layer
// Policies for resource authorization
class OrderPolicy
{
public function view(User $user, Order $order): bool
{
return $user->id === $order->user_id
|| $user->hasRole('admin')
|| $user->belongsToTeam($order->team_id);
}
public function delete(User $user, Order $order): bool
{
return $user->hasPermission('orders.delete')
&& $order->status !== 'completed';
}
}Input Validation
class StoreOrderRequest extends FormRequest
{
public function rules(): array
{
return [
'customer_id' => ['required', 'exists:customers,id'],
'items' => ['required', 'array', 'min:1'],
'items.*.product_id' => ['required', 'exists:products,id'],
'items.*.quantity' => ['required', 'integer', 'min:1', 'max:100'],
'notes' => ['nullable', 'string', 'max:1000'],
];
}
}Data Encryption
// Encrypt sensitive fields
class User extends Model
{
protected $casts = [
'ssn' => 'encrypted',
'tax_id' => 'encrypted',
];
}
// Field-level encryption for maximum security
class EncryptedField
{
public static function encrypt(string $value): string
{
return Crypt::encryptString($value);
}
public static function decrypt(string $encrypted): string
{
return Crypt::decryptString($encrypted);
}
}Network Security
// Rate limiting
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});
// IP whitelisting for admin
Route::middleware(['auth', 'admin', 'ip.whitelist'])
->prefix('admin')
->group(function () {
// Admin routes
});Audit Logging
class AuditLogger
{
public function log(string $action, Model $model, array $changes = []): void
{
AuditLog::create([
'user_id' => auth()->id(),
'action' => $action,
'model_type' => get_class($model),
'model_id' => $model->id,
'changes' => $changes,
'ip_address' => request()->ip(),
'user_agent' => request()->userAgent(),
]);
}
}Conclusion
Security architecture requires thinking about authentication, authorization, encryption, and monitoring as fundamental concerns. Build these patterns into your architecture from day one.
Shane Barron
Related Articles
Need Help With Your Project?
I respond to all inquiries within 24 hours. Let's discuss how I can help build your production-ready system.
Get In Touch