From e311fa5b7e707f30a93eecfbb2d2fc134e114ac2 Mon Sep 17 00:00:00 2001
From: Flycro <flycro@live.de>
Date: Thu, 19 Mar 2026 21:53:43 +0100
Subject: [PATCH] chore: add serializable_classes security option to cache
 config

---
 config/cache.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/config/cache.php b/config/cache.php
index b32aead..d17533c 100644
--- a/config/cache.php
+++ b/config/cache.php
@@ -114,4 +114,23 @@ return [
 
     'prefix' => env('CACHE_PREFIX', Str::slug((string) env('APP_NAME', 'laravel')).'-cache-'),
 
+    /*
+    |--------------------------------------------------------------------------
+    | Serializable Classes
+    |--------------------------------------------------------------------------
+    |
+    | This option controls which PHP classes may be unserialized when retrieving
+    | cached values. Setting this to `false` prevents unserialization of any
+    | objects, hardening your cache against PHP deserialization attacks.
+    |
+    | If your application caches PHP objects, list allowed classes explicitly:
+    |
+    |   'serializable_classes' => [
+    |       App\Data\CachedDashboardStats::class,
+    |   ],
+    |
+    */
+
+    'serializable_classes' => false,
+
 ];