I have a huge list of security things, but let me list a few things down here for you!
Of course you need to use the CSRF functionality that comes by default in Laravel, so never ever disable that middleware for the web requests.
Your api requests should always be behind some security. Either a token or authorization header.
Make sure that you only have up-to-date assets in your public directory. Sometimes an old javascript library has some exploit and if that is still in the public directory everyone can still use that. So it's important to keep the public directory clean with only the useful data. This may lead to Cross Site Scripting.
By default the session cookie of Laravel is prefixed with laravel, so people already know you use Laravel and if there is a known exploit they can use that against you
// config/session.php
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
You can also enable session encryption in that same file, which should be saver ;)
// config/session.php
'encrypt' => false,
Always show a success message when resetting a password or requesting a password reset. Sometimes you get messages like "We don't have this username in our database". But if there is always a success message you never know if the username exists in the system or not.
Since I've been using Laravel, I never had any troubles application wise. However server security is a whole other thing. It happens sometimes that you get a DDOS and that kind of stuff, but that is never on application level.
You should never publish a vulnerability unless the party involved isn't doing anything about it. You should always directory contact the owner of the application to let them know about the flaw to fix it. Providing as much context as possible is helping most of the time.
Let me know if this helps you in anyway ;)