Thanks for the reply back, I see your point and it is a great moment to rethink your user security at times like these.
As of this moment I don’t do a lot different from your approach, my code is usually wrapped around a few things due to framework choices but when you reverse it and remove some additional optimization shit, it is pretty much the same.
As for further security, I tend to focus more on my forms (injection and Man in the Middle prevention), the information I’m returning directly back to users and guests (think: errors, general info messages etc.), And adding permission checks, and password/two factor authentication double checks on specific pages like user settings.
As for database stored information, I generally tend to encrypt all the personal information of my users. ( DoB’s, names, general address info etc. ) I’ve written my own encrypt / decrypt Laravel package using bcrypt for dynamic encryption ( to avoid max bit length issues when statically encrypting ). It takes a bit longer (generally 1.7 sec per request) but I prefer the small wait over possibly compromising user data.
I do have to note that I work for a company that works for mortgage advisors and banks so I tend to work with highly personal data, so I’m mostly required by law to add these “extreme measures” on small applications
Hope it helps you with your security audit