1 year ago

I'm nervous that my app's security has flaws. Asking for feedback.

Posted 1 year ago by Ben94

This is my first freelance job for an IT company. The requirement is that the website has two use-cases.

  1. Customers (other companies) need to log in and be able to view their orders from our SAP production DB.
  2. Employees from 'my' company need also be able to log in and view some internal information pulled from their production database.

What I have done to make the site a bit more secure:

  • I have two databases, one is a simple MySQL db for users. The other is a fully productional SAP B1 database. Both usernames and passwords are configured in the .env file.
  • The connection with the SAP database is from a user that has only read-only access.
  • The sensitive Laravel Models that connect to the Production database have read-only traits (for extra making sure.)
  • Every route except login has an auth middleware so people get redirected when not authenticated.
  • (Here's the risky one I'm uncertain of) I have a route /getData that still has that auth middleware. If you go to /getData you'll be redirected. Is this hack-proof/can I test this?

Are these proper steps? And a more global question: How can I make absolutely sure my site is secure? Any tips, things to really take into consideration or more?

Ik know this is probably a broad question so if anyone can find an extensen tutorial/small book on the subject I'd love to hear it. (Couldn't find one myself.)

Please sign in or create an account to participate in this conversation.