Security Tips
Security Tip: When Is XSS Not Strictly XSS? (But Still Bad!)
[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! π
Security Tips
Security Tip: Password Resets and MFA?
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
Security Tips
Security Tip: Account Recovery for MFA?
[Tip #119] What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their accounts?
Security Tips
Security Tip: 2FA Isn't Just For Logins!
[Tip #118] Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing other sensitive activities too.
Security Tips
Security Tip: Do I Have a Vulnerable Package Installed?
[Tip #117] It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! π€¨
Security Tips
Security Tip: Add Authorisation at the Start!
[Tip #116] Is it a "premature optimisation" to add authorisation to your app before you know how your authorisation will be structured?
Security Tips
Security Tip: Scoping orWhere Can Be Disastrous!
[Tip #115] Let's take a look at why something as simple and "harmless" as an orWhere can introduce a huge privacy risk to your application, and how you can avoid it!
Security Tips
Security Tip: Eloquent Casting to HtmlString!
[Tip #114] One of my favourite Laravel features, the humble HtmlString, is now available as an Eloquent Cast - which should make it much more accessible! π But there is a catch... π
Security Tips
Security Tip: Don't Generate Your Own Passwords!
[Tip #113] "Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever... π±
Security Tips
Security Tip: Don't Use phpinfo()!
[Tip #112] It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! π
Security Tips
Security Tip: What Can We Learn from CommonMark's XSS?
[Tip #111] The recently patched XSS in CommonMark's Attributes extension offers an interesting look at what happens when two different features conflict, one being a security feature, the other a knowingly vulnerable extension.
Security Tips
Security Tip: OTPs Need Rate Limiting Too!
[Tip #110] This is your periodic reminder that Rate Limiting is essential, and for more than just your user/password form! Make sure you've got it on your OTP, or someone will come along and brute-force that 6-digit code.