Security Tip: Canary Tokens

[Tip#31] These are my favourite simple security trick to let you know if someone is poking around in your stuff.

Security Tip: Canary Tokens

Greetings friends! Now that we’ve finished the OWASP Top 10 series, We’re back to our weekly Security Tips and monthly In Depth articles. It was great to cover the Top 10, but it’s nice to be back with our tips and deep dives. This week I’ve got a tip I’m amazed I hadn’t covered previously: Canary Tokens. These are my absolute favourite simple security trick, and I know you’re gonna love them!

Before we dive into the topic, here’s a quick update on Practical Laravel Security: I’m opening it up for Early Access within the next week or two1, with access to the first few modules and the interactive challenge system. I’m really excited by how it’s looking so far and the amount of interest PLS has received. I will be putting the price up when Early Access opens, so if you haven’t bought a license yet, now is definitely the time.

💡 Need to meet compliance requirements with an annual security audit and penetration test? I’m currently booking out April and May, so reach out now to book your audit! 🕵️

Looking to learn more?
Security Tip #13: Should You Block Compromised Passwords?
▶️ In Depth #4: Guessing Placeholders

Canary Tokens

Canary Tokens are a free service provided by Thinkst Canary that provide an “insanely easy-to-use honeypot solution that deploys in just 3 minutes.

The way they work is incredibly simple:

  1. You generate a new token on their website.
  2. You put the token somewhere
  3. A hacker finds the token, interacts with it, and you get an alert!
    (Most of the time, the hacker won’t even know they’ve triggered an alert!)

There are a lot of different tokens available to be generated, so you can usually find one that suits your use case.

The token types include:

  • DNS / hostname
  • AWS keys
  • Windows Command
  • Word Document
  • QR Code
  • MySQL Dump (this is great for your 'database' folder!)
  • URL Loaded
  • URL Redirects
  • PDF
  • Email address
Every time I set up a new Laravel app, I always generate a couple of tokens and scatter them around my repo and production server(s). The .env.example file is fantastic for storing Canary Tokens, because they’ll be stored in the repo and easily findable by anyone snooping around in your code. I’ve also got a few hiding on my laptop. 😉

Let’s walk through a simple example: generating AWS keys.

Step One: Generating a new set of AWS keys on
Step Two: The generated AWS keys for my Canary Token.
Step Three: Laravel .env.example file with the generated AWS Keys Canary Token.

Step Four: wait for someone to go snooping around!

For this example, I’ve run TruffleHog on my codebase and it’s found some matches:

Found verified result 🐷🔑
Detector Type: AWS
Decoder Type: PLAIN
File: .env.example

And I just received an email:

Canary Token Alert email reporting which token was triggered, from what IP, and method used.

It really is that simple.