Greetings friends. If you’re following my pattern, you might have expected a security discussion this week, but the engagement has been quite low, so I’ve decided to switch back to the security tip - although still covering topics that can easily lead to more discussion. I suspect today’s topic will have some of you in disagreement - if so please share in the comments, so we can discuss. 🙂

This week I want to briefly share why I believe sending mail from non-production sites is a bad idea, and risks the security of your application. I’ll also provide some alternatives you can use on your non-production sites.

Btw, I’m almost fully booked for Laravel Security Audits until November, so if you want to get in before the end of the year, you’ll want to reach out soon. 🕵️

Non-production Mail Sending

Why Is It a Security Risk?

It’s incredibly common to set up our non-production environments (i.e. staging, testing, pre-prod, etc) to match production and send out emails using our mail transport providers. This gives us full functionality and makes testing users easy, but it also introduces a huge risk.