chore: add serializable_classes security option to cache config

2026-03-19 21:53:43 +01:00
parent 97d8a2b4c2
commit e311fa5b7e
1 changed files with 19 additions and 0 deletions
--- a/config/cache.php
+++ b/config/cache.php
@@ -114,4 +114,23 @@ return [

    'prefix' => env('CACHE_PREFIX', Str::slug((string) env('APP_NAME', 'laravel')).'-cache-'),

+    /*
+    |--------------------------------------------------------------------------
+    | Serializable Classes
+    |--------------------------------------------------------------------------
+    |
+    | This option controls which PHP classes may be unserialized when retrieving
+    | cached values. Setting this to `false` prevents unserialization of any
+    | objects, hardening your cache against PHP deserialization attacks.
+    |
+    | If your application caches PHP objects, list allowed classes explicitly:
+    |
+    |   'serializable_classes' => [
+    |       App\Data\CachedDashboardStats::class,
+    |   ],
+    |
+    */
+
+    'serializable_classes' => false,
+
 ];