Practical Laravel Security is hands-on course that uses interactive hacking exercises to teach you how to keep your applications secure.
Because learning security doesn't have to be boring!

Practical Laravel Security is currently open for Early-Access. Sign up now and get access to each module as it's released!

Or you can subscribe to the mailing list for more information and to be notified when the course is complete.

Why is Laravel Security important?

It's easy to make the assumption that a robust framework like Laravel is secure, but most of the time, it's the little things which expose vulnerabilities in your apps.

Let's take a look at some recent examples from the news...

1. Australian telecommunications company Optus was recently hacked due to allegedly leaving an unauthenticated API endpoint exposed "with the assumption that the API would only be used by authorised company systems."

2. PortSwigger discovered a vulnerability in a Mastodon fork that allowed them to steal user passwords, caused by a weak Content Security Policy (CSP) and flexible limitations on user inputs: "The form-action directive could prevent these sorts of attacks".

3. Fortbridge discovered the REST API in Plesk was lacking adequate Cross-Site Request Forgery (CSRF) protection, which allowed them to craft custom attacks that affect "all the POST requests and we could abuse most of the APIs with it".

All of these were small and overlooked vulnerabilities in otherwise robust and secure systems.

Practical Laravel Security teaches you how to avoid, find and fix these small mistakes, so unlike these apps, yours won't get hacked!

Course Outline

I believe the best way to learn how to defend against the hackers, is to first learn how to hack (ethically, of course...).

So we start by learning their attacks.

First we'll cover the theory - what is is? How does it work? Why would they use it?

And then you'll learn how to do it yourself! Each attack module will give you hands on practical exercises where you can put your new hacking skills to use!

Of course, there's no point teaching you an attack without also teaching you how to defend against it. So in the Defend modules, I'll teach you exactly what tools you need to protect your site from the attacks you've just learnt.

Finally, in the History section, you can learn from their mistakes. We'll look at previously disclosed vulnerabilities in Laravel and the community. I'll show you exactly what when wrong, and how they were fixed.


  1. Cross-Site Scripting (XSS)
  2. Cross-Site Request Forgery (CSRF)
  3. SQL Injection (SQLi)
  4. Missing Authorisation
  5. Type Juggling
  6. Injection
    In progress
  7. Remote Code Execution (RCE)
  8. Server-Side Request Forgery (SSRF)
  9. Authentication
  10. Debug Mode
  11. Supply Chain Attacks
  12. Browser Security
  13. Leaky Data


  1. Escaping Output
  2. HTML and Markdown
  3. CSRF Tokens
  4. SameSite Cookies
  5. Cross-Origin Resource Sharing (CORS)
  6. Parameterisation
  7. Authorisation Policies
  8. Authorisation Gates
  9. Signed URLs
  10. HMAC Hashes
  11. Strict/Secure Comparisons
  12. Input Validation
  13. Password Security
  14. Rate Limiting
  15. Authentication
  16. Browser Security Headers
  17. Content Security Policy (CSP)
  18. Subresource Integrity (SRI)
  19. And more...

Who Am I?

Hi, I'm Stephen Rees-Carter, and I've spent the past year conducting security audits on Laravel applications of all sizes. As you can imagine, I've seen a lot of great code, but I've also seen a some truly terrifying code, with the same mistakes made over and over again!

However, what I've seen most often are the small mistakes, the missing pieces, forgotten and overlooked pieces of code that introduce a subtle yet critical vulnerabilities. Just as bugs sneak into our code, so to do these vulnerabilities.

I want to teach you find and fix these subtle bugs before someone else exploits them!

My conference talks have been described as "like watching someone do a magic trick but the magic trick is terrifying", and this is the experience I'm hoping to replicate in this course... But this time, you'll be the one doing the magic tricks!

I hope you'll come on this security journey with me! If you've got any questions about the course, feel free to email me. You can also find me on Twitter and Mastodon.

Sign up for the course!

Sign up now and get early access to the modules as they are released,
and get a discount on the final price!

Single Payment

$300 USD

Special discounted rate.

  • Full Access to the course as it's built

  • Access to the Discord Server

Payment Plan

$79 USD per month x4

4 month fixed-length payment plan.

  • Incremental access to the course

  • Access to the Discord Server

Team License

Please reach out for teams pricing and to discuss your needs. Team plans include full access to the course and tracking staff progress throughout the course.

Feedback on the Course

Hey Stephen,
Just wanted to say thanks for making this course.
Loving the format, the gamification is working well with my brain 😊 It's getting me to think about this in ways I wouldn't have by just reading a book.
The last [XSS] challenge was just fun, didn't use the hints but [redacted] 😊
Looking forward to the next challenges.

It is a really fun, and hands on course with exercises for you to learn as you do!
— Ana Lisboa (@_ana_lisboa_)
Feb 14, 2023

From Past Talks and Social Media

Clément: Here we go, nightmares all over again... 😱
Colin: Quick @James, take Forge down!
Alex: Aaaaaand now I'm goign to have security nightmares
Alex: Being Stephen back for every Laracon. I need to be scared straight about security every 6 months or so
~YouTube Live Chat

Alex: Literally every time Stephen talks, my mind is blown
Javier: Agree
Colin: Literally every time Stephen talks, I get nervous
~YouTube Live Chat

Christian: this is like watching someone do a magic trick but the magic trick is terrifying 🤯
~YouTube Live Chat

This will be great, just subscribed to the mailing list.
— Davor Minchorov (@davorminchorov)
November 13, 2022

I've been enjoying the Laravel Security newsletter, so I'm looking forward to this course. Security is one of those topics we should all keep investing in as developers.
— Joel Clermont (@jclermont)
November 10, 2022

Jim: this guy always makes me nervous
Harm: He should
~YouTube Live Chat

Clément: How are we supposed to sleep after this talk? 😱
Gertjan: 🤯
~YouTube Live Chat

This course by @valorin looks extremely interesting! ☠️
— Andrea Marco Sartori (@cerbero90)
Feb 14, 2023

Mariusz: Thanks Stephen, now I'm going to have nightmares 🤣
~YouTube Live Chat

Looking forward to it.👍
— Hamza Ikram || Laravel Developer (@h_ik04)
November 11, 2022

Bought it! Haven’t started yet, but looking forward to. Think I saw two of your Laracon talks, which made it a no brained for me to buy the presale
— Pim Veelders (@PimVeelders)
Feb 14, 2023

Frequently Asked Questions

Who is this course for?

Laravel Developers of all skill levels, regardless of their security knowledge. The concepts will be explained for those without prior knowledge, and the challenges will range from easy to hard, so everyone can get something out of it.

What about Laravel Security in Depth?

The idea is that they compliment each other, rather than overlap and reuse content. I love writing the emails each week, so I definitely want to make it unique. The course is focused on specific vulnerabilities and how to find and fix them in your own code, so it will be a very practical look at things. While the newsletter will look more at concepts, implementations, recent changes in Laravel, etc, looking into security implementations. Also looking at concepts like the OWASP Top 10 - which will guide the course in a way, but won't be featured directly.

Does it require any special software?

No. Everything you need will be available in the browser, although it hasn't been optmised for mobile, so you'll need to use your computer.

How does the payment plan work?

For simplicity, the payment plan is created as a monthly Stripe subscription. The subscription will be automatically cancelled after the fixed length period. Access to modules within the course with be limited initially, with access to more modules opening up as each payment is completed. Full access to the course will be granted when the payment plan is completed.

Is there be team pricing?

Yes! Team pricing is available, as well as some additional features, such as tracking staff progress. Please send me an email to discuss your needs.

Can I get an invoice?

Absolutely. Payments will be processed through Stripe, which will generate an invoice for you.

What if I decide it's not for me?

No worries, just send me an email within 7 days of purchase, and I'll refund you, no questions asked.

What about [tax]?

Stripe should automatically handle any tax required on the purchase.