{} CodeLift
Security Hardened Laravel

Laravel + Vue Starter Kit: Docker-verified fork

We took the official laravel/vue-starter-kit (Inertia + Vue 3 + shadcn-vue + Fortify), ran it inside Docker, and published a production-hardened fork. Tests go from 40 passed to 44 passed / 151 assertions. This article covers the Vue / Ine…

Pub 2026-04-19 Verified 2026-04-19 Upd 2026-04-19
日本語で読む →

Verification environment

  • PHP 8.5.5
  • Laravel 13.5.0
  • Composer 2.9.7
  • Node 22.22.2
  • npm 10.9.7
  • Frontend Vue 3 (Composition API) + Inertia
  • Database SQLite (tests)
  • OS Docker Desktop (php:8.5-cli-bookworm)

Laravel + Vue Starter Kit: Docker-verified fork

We took the official laravel/vue-starter-kit (Inertia + Vue 3 + shadcn-vue + Fortify), ran it inside Docker, and published a production-hardened fork. Tests go from 40 passed to 44 passed / 151 assertions. This article covers the Vue / Inertia-specific findings only.

The 6 backend improvements are identical across the React, Vue, and Livewire forks, so they're consolidated in the pillar article:

Hardening the shared Laravel starter-kit backend

This is the cluster piece covering only what's specific to the Vue Starter Kit.

Target

Item Value
Name Laravel + Vue Starter Kit
Official URL https://github.com/laravel/vue-starter-kit
Improved fork https://github.com/codelift-dev/vue-starter-kit/tree/improvements
Stack Laravel 13 + Inertia + Vue 3 (Composition API) + TypeScript + shadcn-vue + Fortify
Upstream / improved license MIT / MIT
Verification date 2026-04-19
Upstream commit laravel/vue-starter-kit@1233a92

Environment

Same as the pillar (Docker Desktop, PHP 8.5.5 / Laravel 13.x / Node 22.22.2).

git clone https://github.com/codelift-dev/vue-starter-kit.git
cd vue-starter-kit
git checkout improvements
docker compose -f codelift/docker-compose.yml build
docker compose -f codelift/docker-compose.yml run --rm app

Vue-specific findings

A. The Wayfinder build-order footgun

A structural issue shared with the React kit. vite.config.ts includes @laravel/vite-plugin-wayfinder, so running npm run build before composer install fails — the build's php artisan wayfinder:generate call can't load vendor/autoload.php:

require(.../vendor/autoload.php): Failed to open stream: No such file or directory

The error never names composer install, so a first look suspects a Vite / Wayfinder bug.

Fix: a README Setup section spelling out composer installnpm run build.

Vue 3 Composition API and Inertia

The Vue Starter Kit is built with Vue 3's Composition API (<script setup>). Where the React kit uses JSX + hooks, the Vue kit uses SFCs (single-file components) with ref / computed reactivity, and uses shadcn-vue instead of React's shadcn/ui. Both component libraries are copy-into-your-repo rather than npm dependencies, landing under resources/js/components/ui.

But for production hardening, this frontend difference barely matters. Inertia's behavior — the server returns a JSON page object, the initial HTML embeds initial props in a data-page attribute — is identical to the React kit. So the obstacle to tightening Content-Security-Policy is the same: dropping 'unsafe-inline' for a nonce-based policy requires modifying Inertia's response rendering.

CodeLift's fork introduces a CSP (pillar finding D) but conservatively keeps 'unsafe-inline'. If you want the nonce migration, the Livewire kit — no Inertia — can do it; see the Livewire CSP nonce article.

J. Settings endpoint rate limiting

routes/settings.php declares an explicit throttle only on the password update route; profile update (PATCH) / destroy (DELETE) are unprotected.

The Vue kit, like the React kit, expresses settings mutations as HTTP verbs, so adding throttle middleware at the route definition is enough (throttle:10,1 on PATCH, throttle:3,1 on DELETE). Only the Livewire kit has a different routing shape where this fix doesn't carry over.

Why a separate article from React

The Vue and React kits share the backend entirely, and the frontend findings (A, J) behave almost the same. You might ask whether this is just the same article twice. The reasons it isn't:

  • The improved fork is a separate repository. Telling a Vue team "go read the React diff" doesn't let them adopt it. The Vue fork's commits and test results have to be recorded and published independently.
  • Writing the shared backend explanation twice is worthless — so it's consolidated into the pillar, and this article is purified down to Vue specifics.

The result: overlap between the React article and this one is just the minimal description of the shared findings A and J.

Commit layout of the improved fork

8 commits on improvements (README Setup [A] / .env [B] / timezone [C] / forceScheme [E] / SetSecurityHeaders [D] / rate limiter [G] / auth log [I] / settings throttle [J]). B/C/D/E/G/I are sourced from the pillar; A/J from this article.

Tests: upstream 40 passed → improved 44 passed / 151 assertions.

Before / after (Vue-specific part)

Dimension Official Improved
php artisan test 40 passed / 136 assertions 44 passed / 151 assertions
Build-order documentation None README Setup section
Settings endpoint throttle Password only + profile update / destroy

The before/after for the 6 shared backend findings is in the pillar article.

When this fits

  • You're starting a production product on laravel/vue-starter-kit.
  • You're choosing React vs Vue → backend cost is identical; decide on frontend taste, hiring market, and shadcn-vue vs shadcn/ui. See the three-way comparison.

Reproduce and adopt

git clone https://github.com/codelift-dev/vue-starter-kit.git
cd vue-starter-kit
git diff main improvements -- . ':!codelift'

Related

License

Upstream and improved fork both MIT. Findings reflect the verification date.

#Laravel #PHP #Security #Inertia #Starter Kit #Fortify #Vue

Featured in comparisons

Related articles