3 years of Securing Laravel! 🎂

Greetings, my friends!

I'm writing this on 31st August 2024, and it is exactly 3 years since I sent out my first email to Laravel Security in Depth! There have been a few changes over the years, such as renaming to Securing Laravel back in May 2023, and moving from Substack to Ghost in April/May this year, but throughout all of that, I've been sending out emails each week about Laravel Security.

As of right now, I have written and published 90 security tips, and 28 in depth articles, alongside a bunch of other special articles, including the OWASP Top 10 series at the end of 2022. I still find those numbers incredible, especially since I'm pretty sure never actually missed a week! (I've been late a few times, but never missed one.) As someone who only blogged infrequently prior to starting this, and (still) is taking forever to build a course, I am incredibly proud of what I've been able to achieve with Securing Laravel.

All of that comes from you, my wonderful subscribers. I owe all of this to you, and your support and encouragement. Thank you so much for supporting Securing Laravel, and reading my emails every week. It means so much knowing folks value my work, and are interested in learning what I have to teach. 🙏

Now, let's look at what happened this past year...

Subscribers

As of right now, I have 3,858 subscribers (both free and paid), which is incredibly awesome! I was hoping to hit 4,000 by today, but that's still pretty close! Last year I had 2,521 subscribers, which is an increase of 1,337. 🤣 (A good consolation prize for not hitting 4,000.)

Of that number, there are currently 162 premium subscribers, which I am absolutely humbled by. I started this as a labour of love, and it now financially supports me by directly paying for the time I spend writing these emails each week. As a self-employed consultant who loves doing developer education in the security space, this support means the world. Thank you. 🥰

I would love to grow both these numbers within the next 12 months, so I'm setting myself a goal of 6,000 total subscribers and 200 premium subscribers. 🤞 If I can get more premium subscribers, it will let me do some really cool things, but I'll talk about that below.

Published Articles

In the last 12 months, I have published:

• 35 Security Tips
• 9 In Depth articles
• 1 Laravel Security Notice
• Pentesting Laravel series (parts 1 & 2)
• Laravel 11 Security Features series

Note, the numbers don't add up because my release schedule is every 8 days not 7, and last week was supposed to have an In Depth not a Tip.

The Security Tips covered a very wide range of topics this year, from protecting against timing attacks, increasing bcrypt rounds, avoiding XSS in various different scenarios, configuring security headers, validation, testing, and lots more...

We also had a departure from our normal schedule with a Laravel Security Notice, where I touched on the “Androxgh0st” malware, which was "targeting" Laravel in the wild. Given it was going around the media without useful details, I felt the need to set the record straight on why it was most likely not going to affect you, and how to check you're safe.

We recently started a new series called Pentesting Laravel, where I am walking you through my entire Security Audit and Penetration Testing process with an intentionally vulnerable app. This is my favourite series to date, and contains a lot of really cool tips. I'm not holding anything back, and you can take these articles and work through your own apps. The series will continue next week with part 3.

In addition, the following In Depth articles were published:

1. Adding Rehashing to Laravel
   I walk you through the process of adding password rehashing back into Laravel (since it was inexplicitly missing), and explain how the authentication system works. This is a fascinating one for anyone interested in the auth system.
2. Securing Apps on Forge
   An overview of my process for deploying apps on Laravel Forge and how I ensure they are deployed securely. A must for anyone who uses Forge, as some of Forge's defaults aren't security best practice.
3. Introducing Random
   Release announcement and documentation for my PHP package called Random. It provides cryptographically secure randomness in various forms for all PHP apps, regardless of version and framework.
4. Protecting Staging Sites!
   A bunch of tips and recommendations for deploying staging sites securely, to avoid them being compromised and used to attack production.
5. Registration Without Enumeration!
   Answering a common question: how can you build a registration form that doesn't leak user existence? The default Laravel scaffolding is very leaky, so this fills a gap if you deal with PII or PHI and can't have enumeration vectors.
6. Graceful Encryption Key Rotation
   Laravel 11 introduced encryption key rotation, so we dive into exactly how it works, and when you should (and shouldn't) use it.
7. Using CSS Clickjacking to Steal Passwords
   An exploration into a fun vulnerability I found on a client app, which involves abusing inline CSS to conduct a clickjacking attack to steal sensitive information like passwords. I am very proud of this one, as it shows just how sneaky some attacks can be, and how you have to be so careful with what you allow in your apps.
8. Pentesting Laral part 1 - Passive Scans
9. Pentesting Laravel part 2 - Configs, Dependencies, and Routes

In addition to writing a new email & article each week, I've also been working through my older articles, updating content and fixing styling, and posting them on social media. This has been a great way to get more eyes on the site, and more subscribers signing up. Most of my past articles are still very relevant, so keeping them circulating like this has the added benefit of reminding folks about important security issues.

Move to Ghost

I originally launched on Substack because they offered a really simple way to start a paid newsletter, and had solid technology and good marketing options. I was a happy author for the first couple of years.

When Twitter was bought by Musk and there was a kerfuffle regarding .substack.com links being blocked, I switched to a custom domain name (securinglaravel.com) and renamed to Securing Laravel. At the time it was motivated by the need to promote my links on Twitter and get rid of the .substack.com domain, but from that point I started to notice some warning signs around Substack (summary: Substack support racist content and attacked their users who tried to speak out about it).

Around the start of this year, I started to seriously look for an alternative and get off Substack. One option was to build a platform myself on Laravel, but I honestly just didn't have the time to stuff around integrating billing, emails, member management, etc. That's my eventual goal, but unless a lot of you suddenly sign up for a premium subscription soon, it won't be happening this year. 😔

Instead, I looked at alternatives. I checked out three main options: Buttondown, beehiiv, and Ghost. I liked Buttondown, but it didn't have a nice web presence, which is important for sharing on socials, and beehiiv was very noisy with a huge amount of features. Ghost felt simple but powerful, and most importantly, they had a Concierge Team who managed to migration for me!

After a bunch of questions to ease my paranoia, the migration actually happened! I sent out my first Ghost-powered Security Tip on the 6th May 2024!

The Concierge team made it fairly easy, but it wasn't completely straightforward. There were some small things that went wrong, such as:

• My Stripe account was locked by Substack, and require a game of three-player email tennis to get it locked at the right time.
• None of the URLs persisting after the migration so the entire site 404'ed, but luckily this was easily fixed with a custom redirect route. (This had me stressed for a few hours though!)
• Some of the content formatting had broken, with missing elements from Substack that Ghost doesn't have.
• No footnotes! 😭 Long time readers will know I used to use footnotes excessively, so it was quite frustrating to discover they were missing. I've since changed my writing style so I don't rely on them any more.
• Ongoing billing issue! 😡 Annoyingly, Ghost doesn't support importing to showing discounts applied to subscriptions prior to the import, which means anyone with a discount from Substack (or a legacy priced subscription), will see the wrong price in Ghost. I've had a number of folks cancel due to this, which is frustrating and disappointing that Ghost won't fix it.

One final annoyance with Ghost is the inability to generate a discount offer that applies to multiple products - or even a discount code. Instead, to offer a 25% discount for Securing Laravel's 3rd Birthday, I need to give you two different links and you need to decide between them which one to use... 😒

For example, this one will get you 25% off a monthly premium subscription:

While this one will give you 25% off a yearly premium subscription:

Yes, those links are real discounts. Do you like my sneaky sales segue? 😉

The point of this email isn't to sell you a premium subscription, so all I will say is that premium subscriptions allow me to dedicate time each month to write these emails and use my skills to improve security within the Laravel Framework and educate the community. Please consider upgrading to support my work if that is something you are able to do.

Analytics

One of the nice things about moving to Ghost is the ability to use my own analytics, so I now have Fathom Analytics set up and tracking views.

So let's take a look at how it's going:

It's nice to see the number of people & views is increasing, especially the past 2 months when I've been trying to promote articles a bit more. I need to keep growing the site and getting more eyes on it, and now that I have decent analytics, I can track it better.

I find it fascinating that LinkedIn gives me such a high amount of traffic, and I really need to focus more of my energy over there!

Note, the high number of hits to the /?action=unsubscribe link in the above screenshot appear to be email clients that auto-click links. It does not correlate to the actual number of unsubscribes (which is incredibly tiny, for which I am very grateful).

The other interesting metric is the top countries. USA is understandably at the top, but it's cool to see India and Netherlands so high! Australia is quite low in comparison, which means I need to do more promotion at home!

Delayed Birthday Challenge

You will no doubt have seen me talking about the birthday challenge, which I was planning to run this week. Unfortunately I had to delay it, so I'm currently aiming for the end of September. I'll keep you posted on that as I get the ball rolling. 🤞

By way of explination (and this applies to why my course is taking so long too), this year has been an incredibly hard one, for a bunch of personal and health reasons. I've been living with Psoriatic Arthritis for 12 years, but it started to get really bad this year, most likely induced by a lot of extra stresses, and July and August were very tough months and it was hard to get much extra work done around the essentials. I'm starting to get it back under control now, but it's an ongoing process.

I decided to delay the challenge, rather than try to push through, because I didn't want to cut corners or reduce the scope. I want it to be a lot of fun, and challenging, and I will need to dedicate time to do it properly. Thanks for your patience while I get it organised, and I hope you enjoy it when it's ready!

Looking Ahead

So what's going to happen in the next 12 months for Securing Laravel?

The most important thing is, I will continue publishing my weekly Security Tips and monthly In Depth articles on my usual schedule. 🙂

As part of that, I will continue the Pentesting Laravel series, and then probably write accompanying articles for my Laracon AU talk for November. This is a brand new talk, so there may be a few things I want to cover! Alongside these, I need to set up and run the 3rd birthday competition. Ideally in September, but worst case I'll hold it alongside Laracon AU in some fashion.

In terms of new things, I'm considering adding a Community Links section into each Security Tip email. This would be similar to the what Laravel News does in their weekly newsletter, but focused specifically on Laravel and PHP security-related articles, and packages. Folks in the community would be able to submit their links, and I'll include them in my emails - sharing the love and hopefully exposing cool new resources. (Let me know if this is something you're interested in?)

I mentioned my desire to grow the number of premium subscribers above, and my reasons for that are relatively simple: I want to spend more time working directly with the framework, and popular community packages, diving into the security-related components, looking for improvements and potential vulnerabilities/edge cases.

This is something I don't get to spend enough time doing - most of my time is spent working with security audit clients and writing these emails. With more premium subscribers, I can shift more of my time onto Securing Laravel, and in addition to writing emails, I can dive into more framework and community code.

One final thing I want to do is publish my Dropbear toolkit, as a free open-source tool for the community to use to help secure and test their apps. It's still a "works on my machine" state at the moment, so I need to work on that and get it ready for everyone.

Alright, that's a whole lot of words, so I think it's time to finish up!

Thank you once again for being a subscriber to Securing Laravel. Your support means so much to me, and I love knowing there is a community around writing secure apps and learning more about security.

Please tell all of your Laravel and PHP friends, co-workers, and enemies to subscribe, so we can grow this community to 4,000, and well beyond! (Remember, my goal is 6,000 in 12 months!)

Also, if you'd like to follow me on social media, you can find all of my accounts linked in Pinkary: https://pinkary.com/@valorin.

If I can ask one favour, since you've made it this far, can you please hit Reply in your email client and let me know two things:

1. What you love about Securing Laravel.
2. What you think can be improved about Securing Laravel.

Thank you,
Stephen