We provide security updates for the following versions of Laravel WebAuthn:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| 0.x | ❌ |
Only the latest stable version receives security updates. Upgrading to the latest version is recommended if you are using an unsupported version.
This package includes several built-in security features to protect against common attacks:
- Protection: Prevents brute force attacks on login and registration
- Configuration: Configurable via
config/webauthn.phpor environment variables - Default: 5 attempts per minute per user/IP
- Recommendation: Keep rate limiting enabled in production
- Protection: Comprehensive logging of all WebAuthn operations
- Features: Logs registrations, logins, deletions, and errors with full context
- Configuration: Configurable log channel via
WEBAUTHN_AUDIT_LOG_CHANNEL - Recommendation: Enable audit logging for security monitoring and compliance
- Protection: Sign counter validation prevents replay attacks
- Implementation: Automatic counter validation on each authentication
- Recommendation: Always enabled, no configuration needed
- Protection: Ensures requests come from allowed origins only
- Configuration: Configure allowed origins in
config/webauthn.php - Recommendation: Only include trusted domains in
allowed_origins
- Protection: One-time challenges prevent replay attacks
- Implementation: Challenges are invalidated after use
- Recommendation: Always enabled, no configuration needed
- Protection: Optional user verification requirement
- Configuration: Enable via
WEBAUTHN_REQUIRE_UV=true - Recommendation: Enable for high-security applications
- Protection: Only allows configured cryptographic algorithms
- Configuration: Configure in
config/webauthn.php→allowed_algorithms - Default: ES256, ES384, ES512, RS256
- Recommendation: Only enable algorithms you need
If you discover a security vulnerability in Laravel WebAuthn, please report it responsibly by following these guidelines:
-
Do not open a public issue for security bugs.
-
Email the security team directly at:
[email protected]
Include:- A clear description of the vulnerability.
- Steps to reproduce.
- Affected version(s).
- Any suggested fixes, if possible.
-
We will acknowledge receipt of your report within 48 hours.
-
Security issues will be fixed in a timely manner, and a patched release will be made available.
-
If the report is accepted, you may be credited in the release notes (unless you request to remain anonymous).
- Acknowledgment of report: within 48 hours
- Security patch release: as soon as possible depending on severity
- Public disclosure: after patch release, unless agreed otherwise
When using this package, we recommend:
- Enable Rate Limiting: Keep rate limiting enabled to prevent brute force attacks
- Enable Audit Logging: Monitor all WebAuthn operations for security analysis
- Configure Allowed Origins: Only include trusted domains in
allowed_origins - Use HTTPS: Always use HTTPS in production to protect WebAuthn communications
- Keep Updated: Regularly update to the latest version for security patches
- Review Audit Logs: Regularly review audit logs for suspicious activity
- User Verification: Consider enabling user verification for high-security applications
- Algorithm Selection: Only enable cryptographic algorithms you actually need
- Private Keys: Private keys never leave the authenticator device
- Public Keys: Public keys are stored in the database (PEM format)
- Credentials: Credential IDs are stored as binary data
- Signatures: All signatures are verified using OpenSSL
- Challenges: Challenges are cryptographically random and single-use
- Counters: Sign counters prevent replay attacks