Newsletter
2 years of Securing Laravel / Laravel Security In Depth!
Thank you for subscribing and supporting Securing Laravel these past 2 years!
Stephen Rees-Carter
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️ I hack stuff on stage for fun. 😈
Newsletter
In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 2)
[InDepth#19] It's time to finish up the "Th1nk Lik3 a H4cker" walkthrough, looking at the rest of the challenges and the final hack from Laracon US!
Security Tips
Security Tip: Hijacking Domains, the Easy Way?
[Tip#54] Don't leave domains (or subdomains) pointing at servers or nameservers you don't control, or you might get a copy of the email I just received! 😧
Security Tips
Security Tip: Bypassing CSRF Protection with File Uploads
[Tip#53] Accepting File Uploads from your users is always a risky proposal, but have you considered just how easily uploaded files can be used to bypass CSRF and cookie protections?
In Depth
In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)
[InDepth#18] Let's take a walk through the first half of my "Th1nk Lik3 a H4cker" talk from Laracon EU & US. We'll explore the vulnerabilities behind each challenge and what I was trying to teach.
Security Tips
Security Tip: HTML autocomplete Attribute
[Tip#52] HTML has a lot of hidden gems, and the `autocomplete` attribute is no exception. Lets take a look at how it helps your password fields and password managers work together!
Newsletter
Don't forget about the special Laracon US 25% Discount!
Only a couple of days left to take advantage of the 25% off special!
Security Tips
Security Tip: Validate Your Webhooks!
[Tip#51] Just because your webhook endpoints aren't listed anywhere (are they?) doesn't mean someone won't find them, and send malicious payloads to your app! You need to validate your webhook payloads!
Security Tips
Security Tip: Watch out for Resource Authorisation
[Tip#50] Watch out when you mix Resource Controllers and Authorisation with custom Controller Actions and custom routes... you may find you're lacking authorisation without realising it!
Security Tips
Security Tip: Disable Dev Tools on Prod
[Tip#49] Dev tools are are really helpful, but they are still just dev tools. Don't install them on production... or anywhere world-accessible, if you can avoid it.
In Depth
In Depth: Storing Environment Variables Safely
[InDepth#17] Let's dive deep into the wonderful world of storing environment variables safely, looking at the different options Laravel supports and some "industry best practices".
Security Tips
Security Tip: Test for Missing Authorisation
[Tip#48] We write tests for everything else, so why not write tests for authorisation as well?