Discover more from Securing Laravel
Security Tip: Canary Tokens
[Tip#31] These are my favourite simple security trick to let you know if someone is poking around in your stuff.
Greetings friends! Now that we’ve finished the OWASP Top 10 series, We’re back to our weekly Security Tips and monthly In Depth articles. It was great to cover the Top 10, but it’s nice to be back with our tips and deep dives. This week I’ve got a tip I’m amazed I hadn’t covered previously: Canary Tokens. These are my absolute favourite simple security trick, and I know you’re gonna love them!
Before we dive into the topic, here’s a quick update on Practical Laravel Security: I’m opening it up for Early Access within the next week or two1, with access to the first few modules and the interactive challenge system. I’m really excited by how it’s looking so far and the amount of interest PLS has received. I will be putting the price up when Early Access opens, so if you haven’t bought a license yet, now is definitely the time.
Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,500 Laravel developers, learning about keeping their apps secure each week.
💡 Need to meet compliance requirements with an annual security audit and penetration test? I’m currently booking out April and May, so reach out now to book your audit! 🕵️
Looking to learn more?
⏩ Security Tip #13: Should You Block Compromised Passwords?
▶️ In Depth #4: Guessing Placeholders
The way they work is incredibly simple:
You generate a new token on their website.
You put the token somewhere
A hacker finds the token, interacts with it, and you get an alert!
(Most of the time, the hacker won’t even know they’ve triggered an alert!)
There are a lot of different tokens available to be generated, so you can usually find one that suits your use case.
The token types include:
DNS / hostname
MySQL Dump (this is great for your
Every time I set up a new Laravel app, I always generate a couple of tokens and scatter them around my repo and production server(s). The
.env.examplefile is fantastic for storing Canary Tokens, because they’ll be stored in the repo and easily findable by anyone snooping around in your code. I’ve also got a few hiding on my laptop. 😉
Let’s walk through a simple example: generating AWS keys.
Step Four: wait for someone to go snooping around!
For this example, I’ve run TruffleHog on my codebase and it’s found some matches:
Found verified result 🐷🔑 Detector Type: AWS Decoder Type: PLAIN Raw result: AKIAYVP4CIPPOYTRDREA File: .env.example
And I just received an email:
It really is that simple.
You can find more the latest updates and more details about Early Access here: https://practicallaravelsecurity.getsendstack.com/archive/x45MD4-why-practical-security-will-make-your-apps-more-secure