Practical Laravel Security is hands-on course that uses interactive hacking exercises to teach you how to keep your applications secure.
Because learning security doesn't have to be boring!

Sign up to the presale now at a discounted rate and get full access to the course when it launches in December.

Or you can susbcribe to the mailing list for more information and to be notified when it's ready.

Why is Laravel Security important?

It's easy to make the assumption that a robust framework like Laravel is secure, but most of the time, it's the little things which expose vulnerabilities in your apps.

Let's take a look at some recent examples from the news...

1. Australian telecommunications company Optus was recently hacked due to allegedly leaving an unauthenticated API endpoint exposed "with the assumption that the API would only be used by authorised company systems."

2. PortSwigger discovered a vulnerability in a Mastodon fork that allowed them to steal user passwords, caused by a weak Content Security Policy (CSP) and flexible limitations on user inputs: "The form-action directive could prevent these sorts of attacks".

3. Fortbridge discovered the REST API in Plesk was lacking adequate Cross-Site Request Forgery (CSRF) protection, which allowed them to craft custom attacks that affect "all the POST requests and we could abuse most of the APIs with it".

All of these were small and overlooked vulnerabilities in otherwise robust and secure systems.

Practical Laravel Security teaches you how to avoid, find and fix these small mistakes, so unlike these apps, yours won't get hacked!

Course Outline

I believe the best way to learn how to defend against the hackers, is to first learn how to hack (ethically, of course...).

So we start by learning their attacks.

First we'll cover the theory - what is is? How does it work? Why would they use it?

And then you'll learn how to do it yourself! Each module will give you hands on practical exercises where you can put your new hacking skills to use!

Of course, there's no point teaching you an attack without also teaching you how to defend against it. So in the Defend modules, I'll teach you exactly what tools you need to protect your site from the attacks you've just learnt.

Finally, in the History section, you can learn from their mistakes. We'll look at previously disclosed vulnerabilities in Laravel and the community. I'll show you exactly what when wrong, and how they were fixed.


  1. Cross-Site Scripting (XSS)
  2. SQL Injection (SQLi)
  3. Cross-Site Request Forgery (CSRF)
  4. Insecure Direct Object References (IDOR)
  5. Type Juggling
  6. Credential Stuffing
  7. PHP Object Injection
  8. Remote Code Execution (RCE)
  9. Server-Side Request Forgery (SSRF)
  10. And more...


  1. Escaping Output
  2. Input Validation
  3. Password Security
  4. Policy Objects
  5. Rate Limiting
  6. Signed URLs
  7. Authentication
  8. Authorisation
  9. Browser Security Headers
  10. Content Security Policy (CSP)
  11. Subresource Integrity (SRI)
  12. And more...


  1. [Redacted]
  2. [Redacted]
  3. [Redacted]

Who Am I?

Hi, I'm Stephen Rees-Carter, and I've spent the past year conducting security audits on Laravel applications of all sizes. As you can imagine, I've seen a lot of great code, but I've also seen a some truly terrifying code, with the same mistakes made over and over again!

However, what I've seen most often are the small mistakes, the missing pieces, forgotten and overlooked pieces of code that introduce a subtle yet critical vulnerabilities. Just as bugs sneak into our code, so to do these vulnerabilities.

I want to teach you find and fix these subtle bugs before someone else exploits them!

My conference talks were once described as "like watching someone do a magic trick but the magic trick is terrifying", and this is the experience I'm hoping to replicate in this course... But this time, you'll be the one doing the magic tricks!

I hope you'll come on this security journey with me! If you've got any questions about the course, feel free to email me. You can also find me on Twitter and Mastodon.

Limited Time Presale Signup

Sign up to the presale now at a discounted rate and get full access to the course when it launches in December.

Feedback From Past Talks

On Social Media

Frequently Asked Questions

Who is this course for?

Laravel Developers of all skill levels, regardless of their security knowledge. The concepts will be explained for those without prior knowledge, and the challenges will range from easy to hard, so everyone can get something out of it.

What about Laravel Security in Depth?

The idea is that they compliment each other, rather than overlap and reuse content. I love writing the emails each week, so I definitely want to make it unique. The course is focused on specific vulnerabilities and how to find and fix them in your own code, so it will be a very practical look at things. While the newsletter will look more at concepts, implementations, recent changes in Laravel, etc, looking into security implementations. Also looking at concepts like the OWASP Top 10 - which will guide the course in a way, but won't be featured directly.

Does it require any special software?

No. Everything you need will be available in the browser, although it hasn't been optmised for mobile, so you'll need to use your computer.

Will there be team pricing?

Yes! Team pricing will be announced soon. Hopefully when the pre-sale goes live, if it's ready in time.

Can I get an invoice?

Absolutely. Payments will be processed through Stripe, which will generate an invoice for you.

What if I decide it's not for me?

No worries, just send me an email within 7 days of purchase, and I'll refund you, no questions asked.

What about [tax]?

Stripe should automatically handle any tax required on the purchase.