Enlightn: Boost your Laravel App's Performance & Security

Enlightn is an amazing tool that helps you boost your Laravel application's performance and security. It has 120 automated checks that scan your application code, hit your routes, and check your server configurations to provide recommendations on improving performance, security, and code reliability.

#Using Enlightn

Enlightn has two versions: open source (with 60 checks) and a Pro version (with 120 checks).

You can install the open source version through Composer. To install the Pro version, you can checkout the Enlightn documentation.

composer require enlightn/enlightn

After that, all you need to do is run the enlightn Artisan command:

php artisan enlightn

With this command, Enlightn, being the awesome consultant that it is, starts its analysis on your application.

TIP: To get the most out of Enlightn, we found it's best to run Enlightn on your production setup. Many of Enlightn's checks are environment-specific, so they may only be triggered when your app environment is in production.

#Features

With 120 automated checks, Enlightn covers almost every aspect of performance, security, and code reliability that you can think of!

#Performance Checks

Enlightn has 34 automated performance checks. Some of our favorite ones include:

• Route caching
• Detection of N+1, slow, and duplicate queries
• Checking for compression and cache headers
• Middleware bloat detection

#Security Checks

Enlightn has 45 automated security checks. Enlightn automatically detects vulnerabilities in your application. The vulnerabilities it scans for include:

• Insecure PHP configurations
• SQL injection vulnerabilities
• Injection and phishing attacks
• Unrestricted file uploads

#Code Reliability Checks

Enlightn has 41 automated reliability checks including:

• Dead route and dead code detection
• Detecting misconfigurations
• Bug detection
• Health checks

#Query Optimizations

Enlightn can scan your app's code and detect possible query optimizations. Consider the code below:

namespace App\Models;
 
use Illuminate\Database\Eloquent\Model;
 
class Client extends Model
{
    public function countTeamMembers()
    {
        return $this->teamMembers->count();
    }
}

In the example above, we are first firing a query to get all the team members of a client model, and then performing a count on the resulting collection.

Enlightn can automagically detect this and alert you. The query can be optimized by performing the count at the query level like so:

public function countTeamMembers()
{
    return $this->teamMembers()->count();
}

#Performance Tuning

Enlightn doesn't just scan your application code. It can also detect opportunities to tune server configurations.

Some of these opportunities can make a huge impact on performance. For instance, by setting the right compression headers on your web server, you can reduce your asset file size by 80%!

In the example application above, we missed configuring compression headers and Enlightn helps flag them. Not only that, but it also points to detailed documentation where you can learn how to configure these headers on Apache, Nginx or even your CDN!

#N+1 Query Detection

Enlightn also integrates with Laravel Telescope to detect N+1 queries in your code. It highlights the files and line numbers responsible for the N+1 queries to make it easy for you to identify them in your code.

Consider the blade template below:

@foreach ($posts as $post)
    <x-post :data="$post" :comments="$post->comments" />
@endforeach

In our PostController, if we forget to eager load the post comments and each page has 25 posts, it would result in 26 queries instead of 1.

For static analyzers, N+1 query detection is almost impossible, especially for a loosely typed language like PHP. But Enlightn combines dynamic analysis with static analysis to make this possible.

#Dependency Vulnerabilities Scanner

Enlightn has a dependency vulnerabilities scanner built-in that checks your package dependencies on both your frontend and backend and alerts you if any packages are missing security updates.

Laravel recently released a security fix and the example application below wasn't updated with the security fix. Enlightn immediately flagged this for us!

#SQL Injection

Enlightn can detect a wide variety of SQL injection vulnerabilities for Laravel applications.

Consider the following code:

namespace App\Http\Controllers;
 
use Illuminate\Http\Request;
use Illuminate\Validation\Rule;
 
class ProfileController extends Controller
{
    public function validateEmail(Request $request)
    {
        $this->validate($request, [
            'email' => [
                'required',
                Rule::unique('users')->ignore($request->input('id')),
            ]
        ]);
    }
}

This may look like normal validation but actually is vulnerable to SQL injection attacks. In fact, the Laravel documentation warns against it. Sometimes, it's not possible to always stay up-to-date with the Laravel documentation.

Enlightn makes it easy by flagging these errors and linking to detailed documentation on how to stay secure from each of these vulnerabilities.

#Unrestricted File Uploads

Unrestricted file uploads is another vulnerability that modern web applications need to be mindful of.

In the application below, we are storing files at a path determined by untrusted user input data. This may result in a vulnerability where users may overwrite critical files such as /etc/passwd or .env on your server.

namespace App\Http\Controllers;
 
use Illuminate\Http\Request;
use Illuminate\Support\Str;
 
class DocumentController extends Controller
{
    public function upload(Request $request)
    {
        $request->file('document')->storeAs(
            'docs/'.auth()->id().'/'.$request->input('filename'),
            Str::uuid()
        );
    }
}

It is difficult to keep track of what's dangerous and what's not, especially as both the web landscape and the Laravel framework evolve over time. Enlightn can take care of that for you.

#Dead Route Detection

While maintaining applications over a large period of time, sometimes you may remove certain routes, or controller methods due to changing needs, but may forget to remove the registrations.

This makes your code accumulate "technical debt" and also more unreadable.

Enlightn can thankfully detect dead routes (routes that have missing controllers or methods) to help your code stay clean and even detect broken links in your application.

In the example application below, Enlightn detects 2 dead routes in the application.

#Detecting Misconfigurations

Enlightn is also pretty efficient in detecting misconfigurations that may cause problems down the road.

For instance, if you set a generic cache prefix and share your cache servers, this can create collision problems. Even if you don't use caching directly in your application, the Laravel Framework uses it for rate limiting, unique job locks, and queueing.

Imagine throttling a user on the first application, only to learn that a user with the same ID on another application that shares cache servers is also getting throttled.

These are the kinds of misconfigurations Enlightn automatically detects.

#In Closing

Enlightn looks like an awesome tool and seems to be a first of its kind for Laravel. In this post, we were only able to cover a handful of the 120 automated checks it has to offer.

You should definitely take it for a spin and try it out. You can find the open-source version (with 60 checks) on its Github repository.

You can also grab a license from the Enlightn website to get access to 60 additional checks to make your app perform better and stay secure. We'd say it's worth it!