Security Tip: Don't Use phpinfo()!
[Tip #112] It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! π
Latest
In Depth: A Deep Dive into Laravel's New Starter Kits! (pt 1)
[In Depth #35] Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! π€
Security Tip: What Can We Learn from CommonMark's XSS?
[Tip #111] The recently patched XSS in CommonMark's Attributes extension offers an interesting look at what happens when two different features conflict, one being a security feature, the other a knowingly vulnerable extension.
Security Tip: OTPs Need Rate Limiting Too!
[Tip #110] This is your periodic reminder that Rate Limiting is essential, and for more than just your user/password form! Make sure you've got it on your OTP, or someone will come along and brute-force that 6-digit code.
Security Tip: Yes, Your .Env Is Secure Enough!
[Tip #109] I get asked this all the time, so it's time to set the record straight: there is nothing insecure about storing your credentials in a .env, as long as you keep your .env protected!
In Depth: What Actually Is MFA?
[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.
Security Tip: Temporary Local File URLs!
[Tip #108] Temporary URLs for file access is an essential piece of the security puzzle, which up until recently were only available out-of-the-box for the S3 driver. Now you can easily generate them for local files too!
Security Tip: Excluding SVGs from Image Validation!
[Tip #107] Laravel 12 introduced a seemingly minor change - image validation now excludes SVGs by default. π€ Let's take a look at why this is so important! π€
Security Tip: Limiting bcrypt Passwords to 72 Bytes!
[Tip #106] Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious 500 server errors! π±
Security Tip: Run Your CSP in Local Development!
[Tip #105] These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying colours.
Security Tip: Type Coercion in Broadcast Routes!
[Tip #104] It's easy for type juggling to sneak into authorisation callbacks, especially when types are ambiguous, and if you're not careful, you may be leaving a massive hole waiting to be exploited! π±
In Depth: Common Authorisation Failures!
[In Depth #33] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!
Security Tips
Security Tip: Don't Roll Your Own Crypto!
[Tip #103] It's story time! Let's look at the SHA-3 competition as a reminder that crypto is hard... π±
Security Tips
Security Tip: Do You Have an Upgrade Plan?
[Tip #102] In less than 2 weeks, Laravel 10.x will no longer be supported, and PHP 8.1 has less than 12 months left! Do you have an upgrade plan?
Security Tips
Security Tip: Should You Limit Password Lengths?
[Tip #101] Password length limits are often a sign of a legacy backend or insecure hashing, but did you know bcrypt only hashes the first 72 characters? It raises the question, should we be limiting password lengths when using bcrypt too? π€
In Depth
In Depth: Five Ways to Fail at Authentication
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
Security Tips
Security Tip: What If You Hashed Null?
[Tip #100] One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.
Security Tips
Security Tip: Please Stop Hardcoding Admin Domains!
[Tip #99] Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me! π
Security Tips
Security Tip: strip_tags() Won't Save You from XSS!
[Tip #98] XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe...
Security Tips
Security Tip: Be Intentional with Your Outputs!
[Tip #97] XSS loves to sneak into your apps when you're not paying attention, so you need to be intentional with your outputs and think about every piece of user input you're using in your apps!
Security Notice
Laravel Security Notice: Laravel Environment Manipulation via Query String
[Notice #3] Update your Laravel version and ensure `register_argc_argv` is disabled non-CLI commands!
In Depth
In Depth: Laravel Security Audits Top 10 (2024)!
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
Security Tips
Security Tip: Ensure Your App Requires HTTPS!
[Tip #96] Encryption is essential, but you can't just install a certificate and go about your day... Secure those cookies, redirect from HTTP, and HSTS FTW! π
Security Tips
Security Tip: Can You Safely Unserialise Classes?
[Tip #95] While you really shouldn't unserialise anything you get from a user, occasionally you have no choice... so how do you do it safely?