gotchaphplaravelCritical
Livewire: Component State, Hydration, and Security
Viewed 0 times
livewirepublic propertylockedhydrationsecuritycomputedstate tamperingwire:model
Error Messages
Cannot update locked property: [propertyName]Problem
Livewire public properties are exposed to the client and can be tampered with. Developers store sensitive data (user IDs used for authorization, prices) in public properties without realising the client can modify them.
Solution
Never derive authorization decisions from public properties alone. Always re-check permissions in action methods against the authenticated user. Use #[Locked] attribute (Livewire 3) on properties that should not be client-modified. Store sensitive computed values in private properties or compute them fresh in action methods.
Why
Livewire serialises public properties to JSON and sends them to the browser. On each request the component is hydrated from this state. A malicious user can submit modified property values. #[Locked] causes Livewire to throw if the client attempts to change the property.
Gotchas
- #[Locked] prevents client mutation but the value is still visible in the HTML snapshot
- Use #[Computed] properties for values derived from the database—they are not serialised to the client
- Livewire 3 uses Alpine.js for reactivity; ensure Alpine version compatibility
- Long-running actions should use wire:loading to give UI feedback and prevent double-submission
Code Snippets
Livewire property security with #[Locked]
class EditPost extends Component
{
#[Locked]
public int $postId;
public string $title = '';
public function save(): void
{
$post = Post::findOrFail($this->postId);
$this->authorize('update', $post); // always re-check
$post->update(['title' => $this->title]);
}
}Revisions (0)
No revisions yet.