1 · Harden first

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 1 · Harden first
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 7
- step_number: 1
- est_time: ~1–2 hr
- description: Treat every shipped secret as compromised — rotate vendor defaults, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies before anything watches the app.
- tags: codecanyon, laravel, security, hardening, audit

## Execution rules (binding)
- This is step 1 of phase 7 (~1–2 hr) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 1 · Harden first

## TL;DR

**Objective** — close the obvious doors before anything watches them: rotate every vendor default, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies so the app faces real traffic with no public-knowledge secrets and no mass-assignment holes.

:::note[User part + done-when]
**👤 User part** — change the default admin login in the app UI and delete the demo account; everything else (key rotation, permission/CORS audit, mass-assignment + session checks) is terminal-runnable.

**Done when** every vendor default is rotated, auth/sensitive endpoints are throttled, CORS is locked to your domains, secrets/backups aren't web-reachable, no model uses `$guarded = []`, and session cookies are `secure` + `http_only` + `same_site=lax`. &nbsp;·&nbsp; **⏱ ~1–2 hr** &nbsp;·&nbsp; 🔀 mostly 🤖 agent, with one 👤 admin-login change.
:::

## Background

The CodeCanyon package shipped with defaults that are public knowledge — every other buyer downloaded the same admin login, the same demo tokens, the same `APP_KEY`. Close the obvious doors **before** you wire anything that watches them. This page is the doctrine and the audit; the next page handles header/middleware code.

:::danger[Treat every shipped secret as compromised]
Default admin credentials, demo API tokens, and the vendor's `APP_KEY` are in the package every other buyer downloaded. Rotate **all** of them before the app faces real traffic — assume they are already known.
:::

Rotating the secrets is half the job; how you record what the audit finds is the other half.

:::caution[Never silently edit the vendor tree]
When an audit finding lives in a vendor file, **don't** patch it in place — open a tracking GitHub issue and record it in `_CUSTOMIZATIONS.md` with severity, file, and the proposed fix. Surgical, documented edits survive the next vendor update; silent ones don't.
:::

## Steps

### 1. Rotate every vendor default

Change the default admin login, regenerate the app key, and revoke any seeded API tokens the package shipped with.

:::note[Who does this]
🔀 **User + Agent** — the agent regenerates the key and revokes tokens, but 👤 **User** changes the default admin email/password in the app UI and deletes the demo account (the agent can't sign in to the admin panel).
:::

<Steps>

1. **Regenerate the app key.**

   ```bash
   php artisan key:generate   # new APP_KEY — invalidates old encrypted payloads
   ```

   - ✅ A fresh `APP_KEY` is written to `.env`.

2. **Work the rotation checklist** — change the default admin login (👤, demo account deleted not just disabled), regenerate `APP_KEY` on each environment, revoke seeded/demo API tokens, and purge vendor demo data from the production database.

   - ✅ Every default credential, token, and demo record is gone from production.

</Steps>

:::caution[Order matters if you encrypt fields]
If the User model already casts fields to `'encrypted'` (see [Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)), **migrate the encrypted data first** — rotating `APP_KEY` makes existing ciphertext undecryptable.
:::

### 2. Rate limits + file permissions

Throttle auth and sensitive endpoints, and confirm secrets and backups are **not** web-reachable. A backup folder served over HTTP is a data breach waiting to be indexed.

<Steps>

1. **Throttle auth** — apply Laravel's `throttle` middleware to login, registration, password-reset, and any token-issuing route.

   - ✅ Sensitive auth routes carry a `throttle` middleware.

2. **Restrict CORS** — if the app exposes API routes, set `allowed_origins` in `config/cors.php` to your own domains, never `*` — an open CORS policy lets any site call your API with the user's credentials.

   - ✅ `config/cors.php` `allowed_origins` lists only your domains.

3. **Confirm secrets and backups 404/403** — `.env`, `storage/`, and any backup directory must sit outside the web root or be denied by the server.

   ```bash
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/.env
   # Expected: 403 or 404 — never 200
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/storage/
   # Expected: 403 or 404 — never a listing
   ```

   - ✅ Both commands print `403` or `404` — no `200`, no directory listing.

</Steps>

### 3. Audit mass assignment

`$guarded = []` on a model is a mass-assignment hole — a crafted request can set columns you never exposed. Prefer explicit `$fillable`.

<Steps>

1. **Scan the models for the hole.**

   ```bash
   grep -rEn 'guarded\s*=\s*\[\s*\]' app/Models/
   # Expected: no matches (any result = a dangerous model to fix)
   grep -rn 'unguard(' app/Models/
   # Expected: no matches — unguard() disables mass-assignment protection globally
   grep -rn 'guarded\|fillable' app/Models/
   # Expected: every model has an explicit $fillable list
   ```

   - ✅ No `$guarded = []` or `unguard()` calls; every model declares an explicit `$fillable`.

2. **Resolve each finding** against the risk table — replace any `$guarded = []` (and any model defining neither) with an explicit `$fillable`.

   | Finding | Risk | Action |
   |---|---|---|
   | `$fillable` with specific fields | Safe | None |
   | `$guarded` with specific fields | Safe | None |
   | `$guarded = []` | **Dangerous** | Change to explicit `$fillable` |
   | Neither defined | Medium | Add explicit `$fillable` |

   - ✅ No model uses `$guarded = []`; vendor findings are tracked, not patched in place.

</Steps>

If the offending model is a vendor file, follow the tracking-issue rule above rather than editing it directly.

### 4. Audit session security

Confirm production session cookies are locked down so they can't be read by JavaScript, sent over plain HTTP, or replayed cross-site.

<Steps>

1. **Read the current session cookie config.**

   ```bash
   grep -E "(secure|same_site|http_only)" config/session.php
   # Expected: the secure / same_site / http_only lines print for review
   ```

   - ✅ You can see the current values for all three cookie flags.

2. **Confirm each setting matches the production expectation**, then set `SESSION_SECURE_COOKIE=true` in the server `.env`.

   | Setting | Expected (production) | Risk if wrong |
   |---|---|---|
   | `secure` | `env('SESSION_SECURE_COOKIE', true)` | Cookie sent over HTTP |
   | `http_only` | `true` | XSS can read the session cookie |
   | `same_site` | `'lax'` | Cross-site request forgery |

   - ✅ `secure`, `http_only`, and `same_site=lax` all hold, and `SESSION_SECURE_COOKIE=true` on the server.

</Steps>

Run this audit **after** the rest of the security work — it's the verify-and-track pass that catches what the earlier steps missed.

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🔀 Every vendor default rotated** — admin login (👤), `APP_KEY`, demo tokens, demo data all gone.
- [ ] **🤖 Endpoints + files locked** — auth throttled, CORS scoped to your domains (no `*`), `.env`/`storage/`/backups confirmed not web-reachable.
- [ ] **🤖 Mass-assignment audit done** — no `$guarded = []`; vendor findings tracked in `_CUSTOMIZATIONS.md`.
- [ ] **🤖 Session cookies hardened** — `secure` + `http_only` + `same_site=lax`; `SESSION_SECURE_COOKIE=true` on the server.

:::next[Next step]
[Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)
:::

# 1 · Harden first

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/

## TL;DR

**Objective** — close the obvious doors before anything watches them: rotate every vendor default, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies so the app faces real traffic with no public-knowledge secrets and no mass-assignment holes.

:::note[User part + done-when]
**👤 User part** — change the default admin login in the app UI and delete the demo account; everything else (key rotation, permission/CORS audit, mass-assignment + session checks) is terminal-runnable.

**Done when** every vendor default is rotated, auth/sensitive endpoints are throttled, CORS is locked to your domains, secrets/backups aren't web-reachable, no model uses `$guarded = []`, and session cookies are `secure` + `http_only` + `same_site=lax`. &nbsp;·&nbsp; **⏱ ~1–2 hr** &nbsp;·&nbsp; 🔀 mostly 🤖 agent, with one 👤 admin-login change.
:::

## Background

The CodeCanyon package shipped with defaults that are public knowledge — every other buyer downloaded the same admin login, the same demo tokens, the same `APP_KEY`. Close the obvious doors **before** you wire anything that watches them. This page is the doctrine and the audit; the next page handles header/middleware code.

:::danger[Treat every shipped secret as compromised]
Default admin credentials, demo API tokens, and the vendor's `APP_KEY` are in the package every other buyer downloaded. Rotate **all** of them before the app faces real traffic — assume they are already known.
:::

Rotating the secrets is half the job; how you record what the audit finds is the other half.

:::caution[Never silently edit the vendor tree]
When an audit finding lives in a vendor file, **don't** patch it in place — open a tracking GitHub issue and record it in `_CUSTOMIZATIONS.md` with severity, file, and the proposed fix. Surgical, documented edits survive the next vendor update; silent ones don't.
:::

## Steps

### 1. Rotate every vendor default

Change the default admin login, regenerate the app key, and revoke any seeded API tokens the package shipped with.

:::note[Who does this]
🔀 **User + Agent** — the agent regenerates the key and revokes tokens, but 👤 **User** changes the default admin email/password in the app UI and deletes the demo account (the agent can't sign in to the admin panel).
:::

<Steps>

1. **Regenerate the app key.**

   ```bash
   php artisan key:generate   # new APP_KEY — invalidates old encrypted payloads
   ```

   - ✅ A fresh `APP_KEY` is written to `.env`.

2. **Work the rotation checklist** — change the default admin login (👤, demo account deleted not just disabled), regenerate `APP_KEY` on each environment, revoke seeded/demo API tokens, and purge vendor demo data from the production database.

   - ✅ Every default credential, token, and demo record is gone from production.

</Steps>

:::caution[Order matters if you encrypt fields]
If the User model already casts fields to `'encrypted'` (see [Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)), **migrate the encrypted data first** — rotating `APP_KEY` makes existing ciphertext undecryptable.
:::

### 2. Rate limits + file permissions

Throttle auth and sensitive endpoints, and confirm secrets and backups are **not** web-reachable. A backup folder served over HTTP is a data breach waiting to be indexed.

<Steps>

1. **Throttle auth** — apply Laravel's `throttle` middleware to login, registration, password-reset, and any token-issuing route.

   - ✅ Sensitive auth routes carry a `throttle` middleware.

2. **Restrict CORS** — if the app exposes API routes, set `allowed_origins` in `config/cors.php` to your own domains, never `*` — an open CORS policy lets any site call your API with the user's credentials.

   - ✅ `config/cors.php` `allowed_origins` lists only your domains.

3. **Confirm secrets and backups 404/403** — `.env`, `storage/`, and any backup directory must sit outside the web root or be denied by the server.

   ```bash
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/.env
   # Expected: 403 or 404 — never 200
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/storage/
   # Expected: 403 or 404 — never a listing
   ```

   - ✅ Both commands print `403` or `404` — no `200`, no directory listing.

</Steps>

### 3. Audit mass assignment

`$guarded = []` on a model is a mass-assignment hole — a crafted request can set columns you never exposed. Prefer explicit `$fillable`.

<Steps>

1. **Scan the models for the hole.**

   ```bash
   grep -rEn 'guarded\s*=\s*\[\s*\]' app/Models/
   # Expected: no matches (any result = a dangerous model to fix)
   grep -rn 'unguard(' app/Models/
   # Expected: no matches — unguard() disables mass-assignment protection globally
   grep -rn 'guarded\|fillable' app/Models/
   # Expected: every model has an explicit $fillable list
   ```

   - ✅ No `$guarded = []` or `unguard()` calls; every model declares an explicit `$fillable`.

2. **Resolve each finding** against the risk table — replace any `$guarded = []` (and any model defining neither) with an explicit `$fillable`.

   | Finding | Risk | Action |
   |---|---|---|
   | `$fillable` with specific fields | Safe | None |
   | `$guarded` with specific fields | Safe | None |
   | `$guarded = []` | **Dangerous** | Change to explicit `$fillable` |
   | Neither defined | Medium | Add explicit `$fillable` |

   - ✅ No model uses `$guarded = []`; vendor findings are tracked, not patched in place.

</Steps>

If the offending model is a vendor file, follow the tracking-issue rule above rather than editing it directly.

### 4. Audit session security

Confirm production session cookies are locked down so they can't be read by JavaScript, sent over plain HTTP, or replayed cross-site.

<Steps>

1. **Read the current session cookie config.**

   ```bash
   grep -E "(secure|same_site|http_only)" config/session.php
   # Expected: the secure / same_site / http_only lines print for review
   ```

   - ✅ You can see the current values for all three cookie flags.

2. **Confirm each setting matches the production expectation**, then set `SESSION_SECURE_COOKIE=true` in the server `.env`.

   | Setting | Expected (production) | Risk if wrong |
   |---|---|---|
   | `secure` | `env('SESSION_SECURE_COOKIE', true)` | Cookie sent over HTTP |
   | `http_only` | `true` | XSS can read the session cookie |
   | `same_site` | `'lax'` | Cross-site request forgery |

   - ✅ `secure`, `http_only`, and `same_site=lax` all hold, and `SESSION_SECURE_COOKIE=true` on the server.

</Steps>

Run this audit **after** the rest of the security work — it's the verify-and-track pass that catches what the earlier steps missed.

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🔀 Every vendor default rotated** — admin login (👤), `APP_KEY`, demo tokens, demo data all gone.
- [ ] **🤖 Endpoints + files locked** — auth throttled, CORS scoped to your domains (no `*`), `.env`/`storage/`/backups confirmed not web-reachable.
- [ ] **🤖 Mass-assignment audit done** — no `$guarded = []`; vendor findings tracked in `_CUSTOMIZATIONS.md`.
- [ ] **🤖 Session cookies hardened** — `secure` + `http_only` + `same_site=lax`; `SESSION_SECURE_COOKIE=true` on the server.

:::next[Next step]
[Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)
:::

TL;DR

Objective — close the obvious doors before anything watches them: rotate every vendor default, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies so the app faces real traffic with no public-knowledge secrets and no mass-assignment holes.

Background

The CodeCanyon package shipped with defaults that are public knowledge — every other buyer downloaded the same admin login, the same demo tokens, the same APP_KEY. Close the obvious doors before you wire anything that watches them. This page is the doctrine and the audit; the next page handles header/middleware code.

Rotating the secrets is half the job; how you record what the audit finds is the other half.

Steps

1. Rotate every vendor default

Change the default admin login, regenerate the app key, and revoke any seeded API tokens the package shipped with.

Regenerate the app key.

php artisan key:generate   # new APP_KEY — invalidates old encrypted payloads

✅ A fresh APP_KEY is written to .env.

Work the rotation checklist — change the default admin login (👤, demo account deleted not just disabled), regenerate APP_KEY on each environment, revoke seeded/demo API tokens, and purge vendor demo data from the production database.
- ✅ Every default credential, token, and demo record is gone from production.

2. Rate limits + file permissions

Throttle auth and sensitive endpoints, and confirm secrets and backups are not web-reachable. A backup folder served over HTTP is a data breach waiting to be indexed.

Throttle auth — apply Laravel’s throttle middleware to login, registration, password-reset, and any token-issuing route.
- ✅ Sensitive auth routes carry a throttle middleware.
Restrict CORS — if the app exposes API routes, set allowed_origins in config/cors.php to your own domains, never * — an open CORS policy lets any site call your API with the user’s credentials.
- ✅ config/cors.php allowed_origins lists only your domains.

Confirm secrets and backups 404/403 — .env, storage/, and any backup directory must sit outside the web root or be denied by the server.

curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/.env
# Expected: 403 or 404 — never 200
curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/storage/
# Expected: 403 or 404 — never a listing

✅ Both commands print 403 or 404 — no 200, no directory listing.

3. Audit mass assignment

$guarded = [] on a model is a mass-assignment hole — a crafted request can set columns you never exposed. Prefer explicit $fillable.

Scan the models for the hole.

grep -rEn 'guarded\s*=\s*\[\s*\]' app/Models/
# Expected: no matches (any result = a dangerous model to fix)
grep -rn 'unguard(' app/Models/
# Expected: no matches — unguard() disables mass-assignment protection globally
grep -rn 'guarded\|fillable' app/Models/
# Expected: every model has an explicit $fillable list

✅ No $guarded = [] or unguard() calls; every model declares an explicit $fillable.

Resolve each finding against the risk table — replace any $guarded = [] (and any model defining neither) with an explicit $fillable.

Finding Risk Action
$fillable with specific fields Safe None
$guarded with specific fields Safe None
$guarded = [] Dangerous Change to explicit $fillable
Neither defined Medium Add explicit $fillable
- ✅ No model uses $guarded = []; vendor findings are tracked, not patched in place.

Finding	Risk	Action
`$fillable` with specific fields	Safe	None
`$guarded` with specific fields	Safe	None
`$guarded = []`	Dangerous	Change to explicit `$fillable`
Neither defined	Medium	Add explicit `$fillable`

If the offending model is a vendor file, follow the tracking-issue rule above rather than editing it directly.

4. Audit session security

Confirm production session cookies are locked down so they can’t be read by JavaScript, sent over plain HTTP, or replayed cross-site.

Read the current session cookie config.

grep -E "(secure|same_site|http_only)" config/session.php
# Expected: the secure / same_site / http_only lines print for review

✅ You can see the current values for all three cookie flags.

Confirm each setting matches the production expectation, then set SESSION_SECURE_COOKIE=true in the server .env.

Setting Expected (production) Risk if wrong
secure env('SESSION_SECURE_COOKIE', true) Cookie sent over HTTP
http_only true XSS can read the session cookie
same_site 'lax' Cross-site request forgery
- ✅ secure, http_only, and same_site=lax all hold, and SESSION_SECURE_COOKIE=true on the server.

Setting	Expected (production)	Risk if wrong
`secure`	`env('SESSION_SECURE_COOKIE', true)`	Cookie sent over HTTP
`http_only`	`true`	XSS can read the session cookie
`same_site`	`'lax'`	Cross-site request forgery

Run this audit after the rest of the security work — it’s the verify-and-track pass that catches what the earlier steps missed.

Checklist

Do not mark this step done until every box below is checked.

🔀 Every vendor default rotated — admin login (👤), APP_KEY, demo tokens, demo data all gone.
🤖 Endpoints + files locked — auth throttled, CORS scoped to your domains (no *), .env/storage//backups confirmed not web-reachable.
🤖 Mass-assignment audit done — no $guarded = []; vendor findings tracked in _CUSTOMIZATIONS.md.
🤖 Session cookies hardened — secure + http_only + same_site=lax; SESSION_SECURE_COOKIE=true on the server.

Security headers & packages

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 1 · Harden first
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 7
- step_number: 1
- est_time: ~1–2 hr
- description: Treat every shipped secret as compromised — rotate vendor defaults, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies before anything watches the app.
- tags: codecanyon, laravel, security, hardening, audit

## Execution rules (binding)
- This is step 1 of phase 7 (~1–2 hr) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 1 · Harden first

## TL;DR

**Objective** — close the obvious doors before anything watches them: rotate every vendor default, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies so the app faces real traffic with no public-knowledge secrets and no mass-assignment holes.

:::note[User part + done-when]
**👤 User part** — change the default admin login in the app UI and delete the demo account; everything else (key rotation, permission/CORS audit, mass-assignment + session checks) is terminal-runnable.

**Done when** every vendor default is rotated, auth/sensitive endpoints are throttled, CORS is locked to your domains, secrets/backups aren't web-reachable, no model uses `$guarded = []`, and session cookies are `secure` + `http_only` + `same_site=lax`. &nbsp;·&nbsp; **⏱ ~1–2 hr** &nbsp;·&nbsp; 🔀 mostly 🤖 agent, with one 👤 admin-login change.
:::

## Background

The CodeCanyon package shipped with defaults that are public knowledge — every other buyer downloaded the same admin login, the same demo tokens, the same `APP_KEY`. Close the obvious doors **before** you wire anything that watches them. This page is the doctrine and the audit; the next page handles header/middleware code.

:::danger[Treat every shipped secret as compromised]
Default admin credentials, demo API tokens, and the vendor's `APP_KEY` are in the package every other buyer downloaded. Rotate **all** of them before the app faces real traffic — assume they are already known.
:::

Rotating the secrets is half the job; how you record what the audit finds is the other half.

:::caution[Never silently edit the vendor tree]
When an audit finding lives in a vendor file, **don't** patch it in place — open a tracking GitHub issue and record it in `_CUSTOMIZATIONS.md` with severity, file, and the proposed fix. Surgical, documented edits survive the next vendor update; silent ones don't.
:::

## Steps

### 1. Rotate every vendor default

Change the default admin login, regenerate the app key, and revoke any seeded API tokens the package shipped with.

:::note[Who does this]
🔀 **User + Agent** — the agent regenerates the key and revokes tokens, but 👤 **User** changes the default admin email/password in the app UI and deletes the demo account (the agent can't sign in to the admin panel).
:::

<Steps>

1. **Regenerate the app key.**

   ```bash
   php artisan key:generate   # new APP_KEY — invalidates old encrypted payloads
   ```

   - ✅ A fresh `APP_KEY` is written to `.env`.

2. **Work the rotation checklist** — change the default admin login (👤, demo account deleted not just disabled), regenerate `APP_KEY` on each environment, revoke seeded/demo API tokens, and purge vendor demo data from the production database.

   - ✅ Every default credential, token, and demo record is gone from production.

</Steps>

:::caution[Order matters if you encrypt fields]
If the User model already casts fields to `'encrypted'` (see [Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)), **migrate the encrypted data first** — rotating `APP_KEY` makes existing ciphertext undecryptable.
:::

### 2. Rate limits + file permissions

Throttle auth and sensitive endpoints, and confirm secrets and backups are **not** web-reachable. A backup folder served over HTTP is a data breach waiting to be indexed.

<Steps>

1. **Throttle auth** — apply Laravel's `throttle` middleware to login, registration, password-reset, and any token-issuing route.

   - ✅ Sensitive auth routes carry a `throttle` middleware.

2. **Restrict CORS** — if the app exposes API routes, set `allowed_origins` in `config/cors.php` to your own domains, never `*` — an open CORS policy lets any site call your API with the user's credentials.

   - ✅ `config/cors.php` `allowed_origins` lists only your domains.

3. **Confirm secrets and backups 404/403** — `.env`, `storage/`, and any backup directory must sit outside the web root or be denied by the server.

   ```bash
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/.env
   # Expected: 403 or 404 — never 200
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/storage/
   # Expected: 403 or 404 — never a listing
   ```

   - ✅ Both commands print `403` or `404` — no `200`, no directory listing.

</Steps>

### 3. Audit mass assignment

`$guarded = []` on a model is a mass-assignment hole — a crafted request can set columns you never exposed. Prefer explicit `$fillable`.

<Steps>

1. **Scan the models for the hole.**

   ```bash
   grep -rEn 'guarded\s*=\s*\[\s*\]' app/Models/
   # Expected: no matches (any result = a dangerous model to fix)
   grep -rn 'unguard(' app/Models/
   # Expected: no matches — unguard() disables mass-assignment protection globally
   grep -rn 'guarded\|fillable' app/Models/
   # Expected: every model has an explicit $fillable list
   ```

   - ✅ No `$guarded = []` or `unguard()` calls; every model declares an explicit `$fillable`.

2. **Resolve each finding** against the risk table — replace any `$guarded = []` (and any model defining neither) with an explicit `$fillable`.

   | Finding | Risk | Action |
   |---|---|---|
   | `$fillable` with specific fields | Safe | None |
   | `$guarded` with specific fields | Safe | None |
   | `$guarded = []` | **Dangerous** | Change to explicit `$fillable` |
   | Neither defined | Medium | Add explicit `$fillable` |

   - ✅ No model uses `$guarded = []`; vendor findings are tracked, not patched in place.

</Steps>

If the offending model is a vendor file, follow the tracking-issue rule above rather than editing it directly.

### 4. Audit session security

Confirm production session cookies are locked down so they can't be read by JavaScript, sent over plain HTTP, or replayed cross-site.

<Steps>

1. **Read the current session cookie config.**

   ```bash
   grep -E "(secure|same_site|http_only)" config/session.php
   # Expected: the secure / same_site / http_only lines print for review
   ```

   - ✅ You can see the current values for all three cookie flags.

2. **Confirm each setting matches the production expectation**, then set `SESSION_SECURE_COOKIE=true` in the server `.env`.

   | Setting | Expected (production) | Risk if wrong |
   |---|---|---|
   | `secure` | `env('SESSION_SECURE_COOKIE', true)` | Cookie sent over HTTP |
   | `http_only` | `true` | XSS can read the session cookie |
   | `same_site` | `'lax'` | Cross-site request forgery |

   - ✅ `secure`, `http_only`, and `same_site=lax` all hold, and `SESSION_SECURE_COOKIE=true` on the server.

</Steps>

Run this audit **after** the rest of the security work — it's the verify-and-track pass that catches what the earlier steps missed.

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🔀 Every vendor default rotated** — admin login (👤), `APP_KEY`, demo tokens, demo data all gone.
- [ ] **🤖 Endpoints + files locked** — auth throttled, CORS scoped to your domains (no `*`), `.env`/`storage/`/backups confirmed not web-reachable.
- [ ] **🤖 Mass-assignment audit done** — no `$guarded = []`; vendor findings tracked in `_CUSTOMIZATIONS.md`.
- [ ] **🤖 Session cookies hardened** — `secure` + `http_only` + `same_site=lax`; `SESSION_SECURE_COOKIE=true` on the server.

:::next[Next step]
[Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)
:::

# 1 · Harden first

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/

## TL;DR

**Objective** — close the obvious doors before anything watches them: rotate every vendor default, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies so the app faces real traffic with no public-knowledge secrets and no mass-assignment holes.

:::note[User part + done-when]
**👤 User part** — change the default admin login in the app UI and delete the demo account; everything else (key rotation, permission/CORS audit, mass-assignment + session checks) is terminal-runnable.

**Done when** every vendor default is rotated, auth/sensitive endpoints are throttled, CORS is locked to your domains, secrets/backups aren't web-reachable, no model uses `$guarded = []`, and session cookies are `secure` + `http_only` + `same_site=lax`. &nbsp;·&nbsp; **⏱ ~1–2 hr** &nbsp;·&nbsp; 🔀 mostly 🤖 agent, with one 👤 admin-login change.
:::

## Background

The CodeCanyon package shipped with defaults that are public knowledge — every other buyer downloaded the same admin login, the same demo tokens, the same `APP_KEY`. Close the obvious doors **before** you wire anything that watches them. This page is the doctrine and the audit; the next page handles header/middleware code.

:::danger[Treat every shipped secret as compromised]
Default admin credentials, demo API tokens, and the vendor's `APP_KEY` are in the package every other buyer downloaded. Rotate **all** of them before the app faces real traffic — assume they are already known.
:::

Rotating the secrets is half the job; how you record what the audit finds is the other half.

:::caution[Never silently edit the vendor tree]
When an audit finding lives in a vendor file, **don't** patch it in place — open a tracking GitHub issue and record it in `_CUSTOMIZATIONS.md` with severity, file, and the proposed fix. Surgical, documented edits survive the next vendor update; silent ones don't.
:::

## Steps

### 1. Rotate every vendor default

Change the default admin login, regenerate the app key, and revoke any seeded API tokens the package shipped with.

:::note[Who does this]
🔀 **User + Agent** — the agent regenerates the key and revokes tokens, but 👤 **User** changes the default admin email/password in the app UI and deletes the demo account (the agent can't sign in to the admin panel).
:::

<Steps>

1. **Regenerate the app key.**

   ```bash
   php artisan key:generate   # new APP_KEY — invalidates old encrypted payloads
   ```

   - ✅ A fresh `APP_KEY` is written to `.env`.

2. **Work the rotation checklist** — change the default admin login (👤, demo account deleted not just disabled), regenerate `APP_KEY` on each environment, revoke seeded/demo API tokens, and purge vendor demo data from the production database.

   - ✅ Every default credential, token, and demo record is gone from production.

</Steps>

:::caution[Order matters if you encrypt fields]
If the User model already casts fields to `'encrypted'` (see [Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)), **migrate the encrypted data first** — rotating `APP_KEY` makes existing ciphertext undecryptable.
:::

### 2. Rate limits + file permissions

Throttle auth and sensitive endpoints, and confirm secrets and backups are **not** web-reachable. A backup folder served over HTTP is a data breach waiting to be indexed.

<Steps>

1. **Throttle auth** — apply Laravel's `throttle` middleware to login, registration, password-reset, and any token-issuing route.

   - ✅ Sensitive auth routes carry a `throttle` middleware.

2. **Restrict CORS** — if the app exposes API routes, set `allowed_origins` in `config/cors.php` to your own domains, never `*` — an open CORS policy lets any site call your API with the user's credentials.

   - ✅ `config/cors.php` `allowed_origins` lists only your domains.

3. **Confirm secrets and backups 404/403** — `.env`, `storage/`, and any backup directory must sit outside the web root or be denied by the server.

   ```bash
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/.env
   # Expected: 403 or 404 — never 200
   curl -s -o /dev/null -w "%{http_code}" https://<YOUR_DOMAIN>/storage/
   # Expected: 403 or 404 — never a listing
   ```

   - ✅ Both commands print `403` or `404` — no `200`, no directory listing.

</Steps>

### 3. Audit mass assignment

`$guarded = []` on a model is a mass-assignment hole — a crafted request can set columns you never exposed. Prefer explicit `$fillable`.

<Steps>

1. **Scan the models for the hole.**

   ```bash
   grep -rEn 'guarded\s*=\s*\[\s*\]' app/Models/
   # Expected: no matches (any result = a dangerous model to fix)
   grep -rn 'unguard(' app/Models/
   # Expected: no matches — unguard() disables mass-assignment protection globally
   grep -rn 'guarded\|fillable' app/Models/
   # Expected: every model has an explicit $fillable list
   ```

   - ✅ No `$guarded = []` or `unguard()` calls; every model declares an explicit `$fillable`.

2. **Resolve each finding** against the risk table — replace any `$guarded = []` (and any model defining neither) with an explicit `$fillable`.

   | Finding | Risk | Action |
   |---|---|---|
   | `$fillable` with specific fields | Safe | None |
   | `$guarded` with specific fields | Safe | None |
   | `$guarded = []` | **Dangerous** | Change to explicit `$fillable` |
   | Neither defined | Medium | Add explicit `$fillable` |

   - ✅ No model uses `$guarded = []`; vendor findings are tracked, not patched in place.

</Steps>

If the offending model is a vendor file, follow the tracking-issue rule above rather than editing it directly.

### 4. Audit session security

Confirm production session cookies are locked down so they can't be read by JavaScript, sent over plain HTTP, or replayed cross-site.

<Steps>

1. **Read the current session cookie config.**

   ```bash
   grep -E "(secure|same_site|http_only)" config/session.php
   # Expected: the secure / same_site / http_only lines print for review
   ```

   - ✅ You can see the current values for all three cookie flags.

2. **Confirm each setting matches the production expectation**, then set `SESSION_SECURE_COOKIE=true` in the server `.env`.

   | Setting | Expected (production) | Risk if wrong |
   |---|---|---|
   | `secure` | `env('SESSION_SECURE_COOKIE', true)` | Cookie sent over HTTP |
   | `http_only` | `true` | XSS can read the session cookie |
   | `same_site` | `'lax'` | Cross-site request forgery |

   - ✅ `secure`, `http_only`, and `same_site=lax` all hold, and `SESSION_SECURE_COOKIE=true` on the server.

</Steps>

Run this audit **after** the rest of the security work — it's the verify-and-track pass that catches what the earlier steps missed.

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **🔀 Every vendor default rotated** — admin login (👤), `APP_KEY`, demo tokens, demo data all gone.
- [ ] **🤖 Endpoints + files locked** — auth throttled, CORS scoped to your domains (no `*`), `.env`/`storage/`/backups confirmed not web-reachable.
- [ ] **🤖 Mass-assignment audit done** — no `$guarded = []`; vendor findings tracked in `_CUSTOMIZATIONS.md`.
- [ ] **🤖 Session cookies hardened** — `secure` + `http_only` + `same_site=lax`; `SESSION_SECURE_COOKIE=true` on the server.

:::next[Next step]
[Security headers & packages](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/)
:::