Security Tips
Security Tip: Safely Updating Dependencies
[Tip #131] Updating packages used to be a no-brainer, but now you need to be careful. Updates may be malicious. But not updating leaves vulns unpatched. So what do you do??? π€·
Stephen Rees-Carter
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.π΅οΈ I hack stuff on stage for fun. π
In Depth
In Depth: Version Numbers Are Vanity Labels
[In Depth #40] We trust version numbers to mean a specific, fixed release - but they're really just labels pointing at a commit, and an attacker can quietly move them. Let's dig into tag hijacking, the attack behind tj-actions and Laravel-Lang. π
Security Tips
Security Tip: Secure Your Repositories with Laravel Moat
[Tip #130] Laravel Moat is a new tool that assesses the security posture of your GitHub repositories and recommends ways to tighten the controls protecting them.
Security Tips
Security Tip: The Signed URL Trap
[Tip #129] I love Signed URLs, but there is one very subtle trap you can accidentally fall into...
In Depth
In Depth: Don't Trust Public Livewire Properties
[In Depth #39] Public Properties may look like PHP class properties, but they're really hidden form fields, just waiting for your input... π
Security Tips
Security Tip: Stop Putting Actions on GET Requests!
[Tip #128] Do you know the difference between GET and POST requests, and why it's so important that GET requests only ever retrieve data?
Security Tips
Security Tip: Your JWT Might Be a Forever Key!
[Tip #127] Without an `exp` claim, a JWT can remain valid forever, turning a leaked token into permanent access.
Security Tips
Security Tip: Validate Config at Boot
[Tip #126] Rather than checking for essential config when it's used, throw the checks in your Service Provider - you'll know about configuration failures before your users get a weird error.
In Depth
In Depth: Email Verification Isn't as Simple as You Think
[In Depth #38] You can't trust an email address you haven't verified, so why are you storing them in your database?
Security Tips
Security Tip: Consider All Routes, Not Just Web!
[Tip #125] routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?
Security Tips
Security Tip: Update your packages! (Yes, this again!)
[Tip #124] I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...
Security Tips
Security Tip: How Should APIs Respond to HTTP?
[Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?