Security Tips
Security Tip: Your JWT Might Be a Forever Key!
[Tip #127] Without an `exp` claim, a JWT can remain valid forever, turning a leaked token into permanent access.
Stephen Rees-Carter
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.π΅οΈ I hack stuff on stage for fun. π
Security Tips
Security Tip: Validate Config at Boot
[Tip #126] Rather than checking for essential config when it's used, throw the checks in your Service Provider - you'll know about configuration failures before your users get a weird error.
In Depth
In Depth: Email Verification Isn't as Simple as You Think
[In Depth #38] You can't trust an email address you haven't verified, so why are you storing them in your database?
Security Tips
Security Tip: Consider All Routes, Not Just Web!
[Tip #125] routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?
Security Tips
Security Tip: Update your packages! (Yes, this again!)
[Tip #124] I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...
Security Tips
Security Tip: How Should APIs Respond to HTTP?
[Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?
Security Tips
Security Tip: Bypassing Content-Security-Policy with <base>!
[Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! π
Security Tips
Security Tip: When Is XSS Not Strictly XSS? (But Still Bad!)
[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! π
Birthday Retrospective
4 years of Securing Laravel! π
I almost missed it, but it's time to celebrate 4 years of Securing Laravel!
Security Tips
Security Tip: Password Resets and MFA?
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
Security Tips
Security Tip: Account Recovery for MFA?
[Tip #119] What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their accounts?
Security Tips
Security Tip: 2FA Isn't Just For Logins!
[Tip #118] Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing other sensitive activities too.