Security Tip: Have You Heard Of Slopsquatting?
[Tip #132] Your AI agent hallucinates a package name, confidently installs it, and keeps working - except an attacker registered that exact name, packed with malware. Welcome to slopsquatting.
[Tip #132] Your AI agent hallucinates a package name, confidently installs it, and keeps working - except an attacker registered that exact name, packed with malware. Welcome to slopsquatting.
[Tip #131] Updating packages used to be a no-brainer, but now you need to be careful. Updates may be malicious. But not updating leaves vulns unpatched. So what do you do??? π€·
[In Depth #40] We trust version numbers to mean a specific, fixed release - but they're really just labels pointing at a commit, and an attacker can quietly move them. Let's dig into tag hijacking, the attack behind tj-actions and Laravel-Lang. π
[Tip #130] Laravel Moat is a new tool that assesses the security posture of your GitHub repositories and recommends ways to tighten the controls protecting them.
[Tip #129] I love Signed URLs, but there is one very subtle trap you can accidentally fall into...
[In Depth #39] Public Properties may look like PHP class properties, but they're really hidden form fields, just waiting for your input... π
[Tip #128] Do you know the difference between GET and POST requests, and why it's so important that GET requests only ever retrieve data?
[Tip #127] Without an `exp` claim, a JWT can remain valid forever, turning a leaked token into permanent access.
[Tip #126] Rather than checking for essential config when it's used, throw the checks in your Service Provider - you'll know about configuration failures before your users get a weird error.
[In Depth #38] You can't trust an email address you haven't verified, so why are you storing them in your database?
[Tip #125] routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?
[Tip #124] I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...
Security Tips
[Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?
Security Tips
[Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! π
Security Tips
[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! π
Birthday Retrospective
I almost missed it, but it's time to celebrate 4 years of Securing Laravel!
Security Tips
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
Security Tips
[Tip #119] What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their accounts?
Security Tips
[Tip #118] Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing other sensitive activities too.
In Depth
[In Depth #37] It's time to finally fulfil one of the most common requests for an In Depth article: setting up 2FA! π So let's add some TOTP 2FA to our boring user/pass auth login!
Security Tips
[Tip #117] It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! π€¨
Security Notice
[Notice #4] Livewire v3 is vulnerable to an RCE (Remote Command Execution) during component property update hydration in specific scenarios. β οΈ Update your Livewire ASAP! β οΈ
Security Tips
[Tip #116] Is it a "premature optimisation" to add authorisation to your app before you know how your authorisation will be structured?
Security Tips
[Tip #115] Let's take a look at why something as simple and "harmless" as an orWhere can introduce a huge privacy risk to your application, and how you can avoid it!