{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreigl6aetjglh6eqqimrldvpgvz2x4sjqzjpt67ovbtgcca5wgf6xn4",
"uri": "at://did:plc:anldby4lwneunjl777bq6ih7/app.bsky.feed.post/3mg2lbxmgggv2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiazaxu667g5esszfawwqcstzwepotgmfs5ds6qjlkmtkp64ivg46m"
},
"mimeType": "image/png",
"size": 2375950
},
"description": "[Tip #126] Rather than checking for essential config when it's used, throw the checks in your Service Provider - you'll know about configuration failures before your users get a weird error.",
"path": "/security-tip-validate-config-at-boot/",
"publishedAt": "2026-03-02T06:00:55.000Z",
"site": "https://securinglaravel.com",
"tags": [
"** _Security Tips_**",
"_**In Depth** articles_",
"_Laravel Security Audit and Penetration Test_",
"_Security Reviews_",
"_Bluesky_",
"_other socials_",
"_Practical Laravel Security_"
],
"textContent": "A common pattern I've come across to ensure an application has been configured correctly is to throw an exception when a required key isn't set:\n\n\n if (! config('app.magic.key'))\n {\n throw new HttpException(\n statusCode: 500,\n message: 'Required magic key not configured!',\n );\n }\n\nThese are typically found in one of three places:\n\n 1. Right before the key is accessed / API is called.\n 2. In the `__construct()` of the relevant Controller entry point.\n 3. In a Global Middleware class.\n\n\n\nHowever, the problem with **options #1 and #2** is simple: **it will only fail when a user goes to use the code!**\n\nThis means the code will probably be deployed and the app running for minutes, hours, days, etc, before an error occurs. The resulting investigation and fix will take longer, and your user will be left with a weird error. 😔\n\n**Option #3** runs on all requests, so you'll notice pretty quickly, but now you're adding layers to your request processing - especially if you have a few checks. Plus, it only runs on web requests - you're forgetting queue jobs, console commands, broadcast auth, and potentially even your API, if you add it onto the `web` middleware group. It's not a great solution. 😑\n\nI would like to propose a fourth option: **Add it into your service provider!**\n\nIf you do something like this:\n\n\n class AppServiceProvider extends ServiceProvider\n {\n // ...\n\n public function boot()\n {\n $this->enforceMagicKeyConfigured();\n // ...\n }\n\n protected function enforceMagicKeyConfigured()\n {\n if (! config('app.magic.key'))\n {\n throw new RuntimeException(\n statusCode: 500,\n message: 'Required magic key not configured!',\n );\n }\n }\n }\n\nThe config value will be checked any time your app boots up, giving you instant feedback that something is wrong, and you can fix it before it affects your users.\n\nAlso, if your app runs any `artisan` commands during the build & deploy process, it will fail during that process, blocking the build.\n\nFor example, this happened to me recently:\n\nBuild failed with \"Required magic key not configured!\"\n\n**Cool trick, but how does this relate to security?**\n\nThe other common pattern I see associated with this is code:\n\n\n if (config('services.magic.key') == $request->token) {\n // do something sensitive\n }\n\nI'll leave you the exercise of figuring out how this could go horribly wrong...\n\n* * *\n\n**_If you found this security tip useful?_ 👍**\n _Subscribe now_ _to get weekly_** _Security Tips_** _straight to your inbox, filled with practical, actionable advice to help you build safer apps._\n\n**_Want to learn more?_ 🤓**\n _Upgrade to a_ _Premium Subscription_ _for exclusive monthly_ _**In Depth** articles_ _, or support my work with a_ _one-off tip_ _! Your support directly funds my security work in the Laravel community._ 🥰\n\n _**Need a second set of eyes on your code?**\nBook in a __Laravel Security Audit and Penetration Test_ _today! I also offer budget-friendly_ _Security Reviews_ _too._\n\n_Finally, connect with me on_ _Bluesky_ _, or_ _other socials_ _, and check out_ _Practical Laravel Security_ _, my interactive course designed to boost your Laravel security skills._",
"title": "Security Tip: Validate Config at Boot",
"updatedAt": "2026-03-02T06:00:56.249Z"
}