Security Tips
Security Tip: Don't Forget to Regenerate 2FA Secret Keys!
[Tip #84] It's not just passwords you need to worry about when it comes to authentication and stolen credentials: your 2FA secret keys may also be at risk!
Stephen Rees-Carter
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️ I hack stuff on stage for fun. 😈
In Depth
In Depth: Pentesting Laravel part 1 - Passive Scans
[In Depth #27] Let me walk you through my process of conducting a Laravel Security Audit and Penetration Test, starting with the passive scans that usually find a lot of low-hanging fruit!
Security Tips
Security Tip: Prohibiting Destructive Commands on Production
[Tip #83] It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱
Security Tips
Security Tip: How Strict Is your Transport Security?
[Tip #82] HTTPS is everywhere & easy, but HTTP is still an option... How do you stop an attacker intercepting and downgrading connections to your site?
Security Tips
Security Tip: Is Your Referrer Leaking Information?
[Tip #81] Do you know what information is being leaked by the Referer header when your users click on external links?
In Depth
In Depth: Using CSS Clickjacking to Steal Passwords
[In Depth #26] It's time for some nightmare fuel with a sneaky inline CSS vulnerability I found in a popular Laravel package!
Security Tips
Security Tip: Privilege Escalation Through Domain Wildcards!
[Tip #80] It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin!
Security Tips
Security Tip: Only Use env() Within Config Files
[Tip #79] It may be tempting to reach for env() outside your config files, but you may be introducing subtle bugs, or exposing your app to compromise...
Security Tips
Security Tip #78: Laravel 11's Per-Second Rate Limiting
Up until now, Laravel has only supported rate limiting per-minute, but that didn't work in some scenarios, as a minute is a very long time. To solve this, Laravel 11 supports per-second!
Security Tips
Security Tip: Laravel 11's Prompt Validation Rules
[Tip #77] We often talk about validating user input from the browser, but what about user input on the command line? Validation is just as useful there too!
Security Tips
Security Tip: Laravel 11's Automatic Password Rehashing
[Tip #76] Let's check out three of the configuration options available as part of Automatic Password Rehashing: custom fields, disabling rehashing, and changing bcrypt rounds.
In Depth
In Depth: Graceful Encryption Key Rotation
[In Depth #25] Laravel makes effective use of encryption for security purposes, but what happens if your encryption key needs to be rotated? Let's see how Laravel 11 handles it...