0

I am building an application for a smaller group of administrators which will be locked down by password. Take it as a small "intranet" app. As my post data is getting larger (many of input fields, long forms), I am wondering about security.

My app is written with AngularJS, so I have made a full frontend validation.

NOTE: I am not using routes with AngularJS, Laravel is taking care of that. All of the data is posted by Ajax calls, Laravel is inserting data in database. Both frameworks are running on same domain.

So, here I my concerns:

Should I still validate data at the backend?

Here is my thinking.

  1. Laravel uses CSRF protection, so no data can be submitted from other "outside" form.
  2. If user (administrator) submits string but not integer as needed (by defined on database structure), insert will not happen.
  3. Laravel escapes input data, so I presume no SQL injection can be performed? I am using Eloquent ORM through all of my code.
  4. Is there something more? In general, what could be validated? Just types of inputs?

Extra question: What should I be doing differently if my app wasn't behind password?

Improve this question
0

2 Answers 2

Reset to default
1

In general, yes.

If a mistake is made while working on the front-end, you can end up sending data in a format that your application might not be able to handle.

Also, data from the client cannot always be relied on. Different browsers might behave in different ways and can send you data in unpredictable ways.

You should validate for minimum/maximum length, format (proper email address, file names, etc), etc. depending on the type of value on the backend as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0
  1. Include csrf token in request header while send data through ajax.

  2. After receiving request data in controller just include laravel validation like this:

    $validationData = $request->validate([
    'title' =>'required|unique:posts|max:255,
]);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.