In Depth
[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.
Security Tips
[Tip #108] Temporary URLs for file access is an essential piece of the security puzzle, which up until recently were only available out-of-the-box for the S3 driver. Now you can easily generate them for local files too!
Security Tips
[Tip #107] Laravel 12 introduced a seemingly minor change - image validation now excludes SVGs by default. ๐ค Let's take a look at why this is so important! ๐ค
[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.
[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
[In Depth #29] It's time to spend some time looking for smelly or suspicious code, searching for common patterns and functions that usually show up around weaknesses. ๐ต๏ธ
The essential security resource for Laravel developers.
[Tip #106] Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious 500 server errors! ๐ฑ
[Tip #105] These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying colours.
[Tip #104] It's easy for type juggling to sneak into authorisation callbacks, especially when types are ambiguous, and if you're not careful, you may be leaving a massive hole waiting to be exploited! ๐ฑ
[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!
[Tip #103] It's story time! Let's look at the SHA-3 competition as a reminder that crypto is hard... ๐ฑ
[Tip #102] In less than 2 weeks, Laravel 10.x will no longer be supported, and PHP 8.1 has less than 12 months left! Do you have an upgrade plan?
[Tip #101] Password length limits are often a sign of a legacy backend or insecure hashing, but did you know bcrypt only hashes the first 72 characters? It raises the question, should we be limiting password lengths when using bcrypt too? ๐ค
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
[Tip #100] One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.
[Tip #99] Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me! ๐
[Tip #98] XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe...
[Tip #97] XSS loves to sneak into your apps when you're not paying attention, so you need to be intentional with your outputs and think about every piece of user input you're using in your apps!
