Security Overview

The CPR backend handles sensitive medical data and implements multiple layers of security.

Security Architecture

Request → Rate Limiting → CORS → Sanctum Auth → Branch Context → RBAC → Controller

Layers

Layer	Implementation	Purpose
Rate Limiting	Laravel throttle middleware	Prevent brute force and abuse
CORS	`config/cors.php`	Restrict cross-origin requests
Authentication	Laravel Sanctum (tokens)	Verify user identity
Branch Isolation	`EnsureBranchContext` middleware	Data scoping per clinic
Authorization	Spatie Permission (RBAC)	Role-based access control
Input Validation	Form Requests	Sanitize and validate all input
Audit Logging	Spatie Activity Log	Track all data changes
Error Tracking	Sentry	Monitor exceptions in production

Key Security Configurations

Rate Limiting (AppServiceProvider)

php

'api'            → 1000 requests/minute per user or IP
'authentication' → 5 requests/minute per IP
'public'         → 5 requests/minute per IP

CORS (config/cors.php)

php

'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_origins' => [
    'https://cpr-frontend.larrazabaleye.com',
    'http://localhost:3000',
],
'supports_credentials' => true,

Exposed Headers

The API exposes X-Branch-Id and X-Request-ID headers for branch context and request tracing.

Environment Security

Production Checklist

Set APP_DEBUG=false in production
Set APP_ENV=production
Use strong APP_KEY (auto-generated via php artisan key:generate)
Configure SANCTUM_STATEFUL_DOMAINS for your frontend domain only
Set appropriate CORS_ALLOWED_ORIGINS
Enable ENABLE_AUDIT_LOGGING=true
Configure Sentry DSN for error tracking

Authentication - Sanctum token setup
Authorization - Roles and permissions
CSRF Protection - CSRF handling for SPAs
SQL Injection Prevention - Query safety

Security Overview ​

Security Architecture ​

Layers ​

Key Security Configurations ​

Rate Limiting (AppServiceProvider) ​

CORS (config/cors.php) ​

Exposed Headers ​

Environment Security ​

Related Pages ​