Greetings my friends! I hope this email finds you all well. Before we get into our security tip for the week, I want to remind you about Laracon Online this week. It’s a completely free online event1 with lots of great speakers. I’ll be speaking in the final slot about web browser security features!

This week I’m covering one of the first things I do when starting a new security audit: searching for secrets, credentials and API keys. It’s rare to audit a site that doesn’t have some secrets hiding in the code, so it’s important for you to be aware of it and some of the tools we can use to easily audit our own apps.

👉 Security Audits: Want me to hack your app and help you improve your security? 🕵️

Looking to learn more…2
⏩ Security Tip #1: Custom Encryption Key
▶️ In Depth #1: Encryption

Finding Secrets

Secrets, API keys, credentials, passwords, encryption keys, private keys… the list goes on. There are a lot of different types of secrets that could appear in your code, either intentionally or otherwise. Maybe you commit your auth.json so everyone can easily download Nova, or your Slack webhooks are hard-coded in a controller. Or maybe you accidently used git add . and didn’t realise what files were being included…

There are many reasons why secrets could end up in your code repository, but you really don’t want your secrets stored in your code.

Why?