Security Tip: Bypassing Content-Security-Policy with <base>!

[Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈

Security Tip: When Is XSS Not Strictly XSS? (But Still Bad!)

[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! 😈

4 years of Securing Laravel! 🎂

I almost missed it, but it's time to celebrate 4 years of Securing Laravel!

Security Tip: Password Resets and MFA?

[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?

Security Tip: Account Recovery for MFA?

[Tip #119] What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their accounts?

Security Tip: 2FA Isn't Just For Logins!

[Tip #118] Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing other sensitive activities too.

In Depth: Setting up Two-Factor Authentication!

[In Depth #37] It's time to finally fulfil one of the most common requests for an In Depth article: setting up 2FA! 🎉 So let's add some TOTP 2FA to our boring user/pass auth login!

Security Tip: Do I Have a Vulnerable Package Installed?

[Tip #117] It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! 🤨

Laravel Security Notice: Livewire v3 Remote Code Execution Vulnerability!

[Notice #4] Livewire v3 is vulnerable to an RCE (Remote Command Execution) during component property update hydration in specific scenarios. ⚠️ Update your Livewire ASAP! ⚠️

Security Tip: Add Authorisation at the Start!

[Tip #116] Is it a "premature optimisation" to add authorisation to your app before you know how your authorisation will be structured?

Security Tip: Scoping orWhere Can Be Disastrous!

[Tip #115] Let's take a look at why something as simple and "harmless" as an orWhere can introduce a huge privacy risk to your application, and how you can avoid it!

In Depth: A Deep Dive into Laravel's New Starter Kits! (pt 2)

[In Depth #36] It's time to review the Livewire Volt, Vue, and React Starter Kits! Let's see what vulnerabilities are hiding under the surface, and just how easy it is to fix them... 🧐

Security Tips

Security Tip: Eloquent Casting to HtmlString!

[Tip #114] One of my favourite Laravel features, the humble HtmlString, is now available as an Eloquent Cast - which should make it much more accessible! 🎉 But there is a catch... 😟

Security Tips

Security Tip: Don't Generate Your Own Passwords!

[Tip #113] "Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever... 😱

Security Tips

Security Tip: Don't Use phpinfo()!

[Tip #112] It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! 😈

In Depth

In Depth: A Deep Dive into Laravel's New Starter Kits! (pt 1)

[In Depth #35] Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! 🤓

Security Tips

Security Tip: What Can We Learn from CommonMark's XSS?

[Tip #111] The recently patched XSS in CommonMark's Attributes extension offers an interesting look at what happens when two different features conflict, one being a security feature, the other a knowingly vulnerable extension.

Security Tips

Security Tip: OTPs Need Rate Limiting Too!

[Tip #110] This is your periodic reminder that Rate Limiting is essential, and for more than just your user/password form! Make sure you've got it on your OTP, or someone will come along and brute-force that 6-digit code.

Security Tips

Security Tip: Yes, Your .Env Is Secure Enough!

[Tip #109] I get asked this all the time, so it's time to set the record straight: there is nothing insecure about storing your credentials in a .env, as long as you keep your .env protected!

In Depth

In Depth: What Actually Is MFA?

[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.

Security Tips

Security Tip: Temporary Local File URLs!

[Tip #108] Temporary URLs for file access is an essential piece of the security puzzle, which up until recently were only available out-of-the-box for the S3 driver. Now you can easily generate them for local files too!

Security Tips

Security Tip: Excluding SVGs from Image Validation!

[Tip #107] Laravel 12 introduced a seemingly minor change - image validation now excludes SVGs by default. 🤔 Let's take a look at why this is so important! 🤓

Security Tips

Security Tip: Limiting bcrypt Passwords to 72 Bytes!

[Tip #106] Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious 500 server errors! 😱

Security Tips

Security Tip: Run Your CSP in Local Development!

[Tip #105] These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying colours.