Security Configuration

Overview

Dashboard Laravel provides comprehensive security features to protect your application and user data. Configure authentication methods, password policies, two-factor authentication (2FA), and session management.

Always use strong passwords and enable two-factor authentication for administrator accounts.

Password Management

Changing Your Password

Update your account password through the Security tab in the configuration panel.

<div class="card mb-4">
  <div class="card-header">
    <h5><i class="fas fa-key"></i> Cambiar Contraseña</h5>
  </div>
  <div class="card-body">
    <div class="mb-3">
      <label class="form-label">Contraseña Actual</label>
      <input type="password" class="form-control" placeholder="••••••••">
    </div>
    <div class="mb-3">
      <label class="form-label">Nueva Contraseña</label>
      <input type="password" class="form-control" placeholder="••••••••">
    </div>
    <div class="mb-3">
      <label class="form-label">Confirmar Nueva Contraseña</label>
      <input type="password" class="form-control" placeholder="••••••••">
    </div>
    <button class="btn btn-warning">
      <i class="fas fa-lock"></i> Actualizar Contraseña
    </button>
  </div>
</div>

Password Reset Configuration

Configure password reset behavior in config/auth.php:

'passwords' => [
    'users' => [
        'provider' => 'users',
        'table' => env('AUTH_PASSWORD_RESET_TOKEN_TABLE', 'password_reset_tokens'),
        'expire' => 60,
        'throttle' => 60,
    ],
],

Password Configuration Options

Key Settings:

provider: User provider for password resets (users)
table: Database table for reset tokens (password_reset_tokens)
expire: Token expiration time in minutes (default: 60)
throttle: Seconds between reset attempts (default: 60)

These settings ensure secure password reset functionality with rate limiting.

Password Confirmation Timeout

Control how long users can perform sensitive actions without re-entering their password:

// config/auth.php
'password_timeout' => env('AUTH_PASSWORD_TIMEOUT', 10800),

Default timeout is 10,800 seconds (3 hours). Adjust based on your security requirements.

Two-Factor Authentication (2FA)

Enabling 2FA

Add an extra layer of security to your account with two-factor authentication.

<div class="card mb-4">
  <div class="card-header">
    <h5><i class="fas fa-shield-alt"></i> Autenticación de Dos Factores</h5>
  </div>
  <div class="card-body">
    <p class="text-muted">Agrega una capa extra de seguridad a tu cuenta.</p>
    <div class="form-check form-switch mb-3">
      <input class="form-check-input" type="checkbox" id="2fa">
      <label class="form-check-label" for="2fa">Activar 2FA</label>
    </div>
    <button class="btn btn-outline-success">
      <i class="fas fa-qrcode"></i> Configurar 2FA
    </button>
  </div>
</div>

Setup Process
Best Practices

2FA Configuration Steps:

Toggle the “Activar 2FA” switch
Click “Configurar 2FA” button
Scan QR code with authenticator app
Enter verification code to confirm
Save backup codes securely

Recommended authenticator apps: Google Authenticator, Authy, Microsoft Authenticator

Authentication Configuration

Authentication Guards

Laravel uses guards to define how users are authenticated for each request.

// config/auth.php
'defaults' => [
    'guard' => env('AUTH_GUARD', 'web'),
    'passwords' => env('AUTH_PASSWORD_BROKER', 'users'),
],

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
],

Guard Configuration:

Default Guard: web (session-based authentication)
Driver: session (uses Laravel’s session system)
Provider: users (Eloquent user model)

User Providers

Define how users are retrieved from your database:

// config/auth.php
'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => env('AUTH_MODEL', App\Models\User::class),
    ],
],

The Eloquent driver uses the User model to retrieve authentication data.

Session Security

Session Configuration

Secure session management is critical for protecting user authentication.

// config/session.php
'driver' => env('SESSION_DRIVER', 'database'),
'lifetime' => (int) env('SESSION_LIFETIME', 120),
'expire_on_close' => env('SESSION_EXPIRE_ON_CLOSE', false),
'encrypt' => env('SESSION_ENCRYPT', false),

Session Settings Explained

Key Configuration Options:

Setting	Default	Purpose
`driver`	`database`	Where sessions are stored
`lifetime`	`120`	Session duration in minutes
`expire_on_close`	`false`	End session when browser closes
`encrypt`	`false`	Encrypt session data
`table`	`sessions`	Database table for sessions

Database driver is recommended for production environments.

Protect session cookies with secure configuration:

// config/session.php
'secure' => env('SESSION_SECURE_COOKIE'),
'http_only' => env('SESSION_HTTP_ONLY', true),
'same_site' => env('SESSION_SAME_SITE', 'lax'),

Cookie Security Options:

Secure Cookies
HTTP Only
SameSite

'secure' => env('SESSION_SECURE_COOKIE')

When enabled, cookies are only sent over HTTPS connections.

Always enable for production deployments with SSL/TLS.

'http_only' => env('SESSION_HTTP_ONLY', true)

Prevents JavaScript from accessing cookie values, protecting against XSS attacks.

This should remain true for all deployments.

'same_site' => env('SESSION_SAME_SITE', 'lax')

Controls cookie behavior for cross-site requests, mitigating CSRF attacks.Options: lax, strict, none, nullDefault lax provides good security while allowing legitimate cross-site navigation.

CSRF Protection

Laravel automatically protects against Cross-Site Request Forgery (CSRF) attacks.

How CSRF Works

All forms in Dashboard Laravel include CSRF tokens:

<form method="POST" action="/configuracion">
    @csrf
    <!-- Form fields -->
</form>

CSRF tokens are automatically validated on POST, PUT, PATCH, and DELETE requests.

CSRF Token Verification

Laravel’s middleware validates CSRF tokens for all state-changing requests:

// Automatically applied to web routes
protected $middlewareGroups = [
    'web' => [
        // ...
        \Illuminate\Foundation\Http\Middleware\ValidateCsrfToken::class,
    ],
];

Encryption

Application Key

Laravel uses an encryption key for securing sensitive data:

// config/app.php
'cipher' => 'AES-256-CBC',
'key' => env('APP_KEY'),

Never commit your APP_KEY to version control. Generate it using php artisan key:generate.

Encrypted Session Data

Optionally encrypt all session data:

// config/session.php
'encrypt' => env('SESSION_ENCRYPT', false),

Security Best Practices

Production Security Checklist

Environment Variables

Key security-related environment variables:

# .env
APP_KEY=base64:your-encryption-key-here
APP_DEBUG=false
APP_ENV=production

SESSION_DRIVER=database
SESSION_LIFETIME=120
SESSION_SECURE_COOKIE=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=lax

AUTH_PASSWORD_TIMEOUT=10800

Review and adjust these values based on your security requirements.

Settings Configuration - User profile and preferences
Notifications - Security alerts and notifications
User Authentication - Login and signup processes

Notification SettingsConfigure email notifications, system alerts, and notification preferences

⌘I

Get Started

Core Features

Business Modules

Configuration

Overview

Password Management

Changing Your Password

Password Reset Configuration

Password Confirmation Timeout

Two-Factor Authentication (2FA)

Enabling 2FA

Authentication Configuration

Authentication Guards

User Providers

Session Security

Session Configuration

CSRF Protection

How CSRF Works

CSRF Token Verification

Encryption

Application Key

Encrypted Session Data

Security Best Practices

Environment Variables

Build docs developers (and LLMs) love

Get Started

Core Features

Business Modules

Configuration

​Overview

​Password Management

​Changing Your Password

​Password Reset Configuration

​Password Confirmation Timeout

​Two-Factor Authentication (2FA)

​Enabling 2FA

​Authentication Configuration

​Authentication Guards

​User Providers

​Session Security

​Session Configuration

​Cookie Security

​CSRF Protection

​How CSRF Works

​CSRF Token Verification

​Encryption

​Application Key

​Encrypted Session Data

​Security Best Practices

​Environment Variables

​Related Resources

Build docs developers (and LLMs) love

Overview

Password Management

Changing Your Password

Password Reset Configuration

Password Confirmation Timeout

Two-Factor Authentication (2FA)

Enabling 2FA

Authentication Configuration

Authentication Guards

User Providers

Session Security

Session Configuration

Cookie Security

CSRF Protection

How CSRF Works

CSRF Token Verification

Encryption

Application Key

Encrypted Session Data

Security Best Practices

Environment Variables

Related Resources