
Security Tips
Security Tip: How Should APIs Respond to HTTP?
[Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?
Security Tips
[Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! π
Security Tips
[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! π
Birthday Retrospective
I almost missed it, but it's time to celebrate 4 years of Securing Laravel!
[In Depth #37] It's time to finally fulfil one of the most common requests for an In Depth article: setting up 2FA! π So let's add some TOTP 2FA to our boring user/pass auth login!
[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... π§
[In Depth #35] Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! π€
[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.
[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
The essential security resource for Laravel developers.
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
[Tip #119] What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their accounts?
[Tip #118] Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing other sensitive activities too.
[In Depth #37] It's time to finally fulfil one of the most common requests for an In Depth article: setting up 2FA! π So let's add some TOTP 2FA to our boring user/pass auth login!
[Tip #117] It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! π€¨
[Notice #4] Livewire v3 is vulnerable to an RCE (Remote Command Execution) during component property update hydration in specific scenarios. β οΈ Update your Livewire ASAP! β οΈ
[Tip #116] Is it a "premature optimisation" to add authorisation to your app before you know how your authorisation will be structured?
[Tip #115] Let's take a look at why something as simple and "harmless" as an orWhere can introduce a huge privacy risk to your application, and how you can avoid it!
[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... π§
[Tip #114] One of my favourite Laravel features, the humble HtmlString, is now available as an Eloquent Cast - which should make it much more accessible! π But there is a catch... π
[Tip #113] "Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever... π±
[Tip #112] It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! π