
Security Tips
Security Tip: Scoping orWhere Can Be Disastrous!
[Tip #115] Let's take a look at why something as simple and "harmless" as an orWhere can introduce a huge privacy risk to your application, and how you can avoid it!
In Depth
[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... π§
Security Tips
[Tip #114] One of my favourite Laravel features, the humble HtmlString, is now available as an Eloquent Cast - which should make it much more accessible! π But there is a catch... π
Security Tips
[Tip #113] "Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever... π±
[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... π§
[In Depth #35] Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! π€
[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.
[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
The essential security resource for Laravel developers.
[Tip #112] It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! π
[In Depth #35] Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! π€
[Tip #111] The recently patched XSS in CommonMark's Attributes extension offers an interesting look at what happens when two different features conflict, one being a security feature, the other a knowingly vulnerable extension.
[Tip #110] This is your periodic reminder that Rate Limiting is essential, and for more than just your user/password form! Make sure you've got it on your OTP, or someone will come along and brute-force that 6-digit code.
[Tip #109] I get asked this all the time, so it's time to set the record straight: there is nothing insecure about storing your credentials in a .env, as long as you keep your .env protected!
[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.
[Tip #108] Temporary URLs for file access is an essential piece of the security puzzle, which up until recently were only available out-of-the-box for the S3 driver. Now you can easily generate them for local files too!
[Tip #107] Laravel 12 introduced a seemingly minor change - image validation now excludes SVGs by default. π€ Let's take a look at why this is so important! π€
[Tip #106] Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious 500 server errors! π±
[Tip #105] These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying colours.
[Tip #104] It's easy for type juggling to sneak into authorisation callbacks, especially when types are ambiguous, and if you're not careful, you may be leaving a massive hole waiting to be exploited! π±
[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!