
Security Tips
Security Tip: Password Resets and MFA?
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
Weekly security tips that cover the simpler topics, configuration options, tricks, updates, and anything else security related you need to be aware of.
Security Tips
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
Security Tips
[Tip #119] What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their accounts?
Security Tips
[Tip #118] Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing other sensitive activities too.
Security Tips
[Tip #117] It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! ๐คจ
Security Tips
[Tip #116] Is it a "premature optimisation" to add authorisation to your app before you know how your authorisation will be structured?
Security Tips
[Tip #115] Let's take a look at why something as simple and "harmless" as an orWhere can introduce a huge privacy risk to your application, and how you can avoid it!
Security Tips
[Tip #114] One of my favourite Laravel features, the humble HtmlString, is now available as an Eloquent Cast - which should make it much more accessible! ๐ But there is a catch... ๐
Security Tips
[Tip #113] "Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever... ๐ฑ
Security Tips
[Tip #112] It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account! ๐
Security Tips
[Tip #111] The recently patched XSS in CommonMark's Attributes extension offers an interesting look at what happens when two different features conflict, one being a security feature, the other a knowingly vulnerable extension.
Security Tips
[Tip #110] This is your periodic reminder that Rate Limiting is essential, and for more than just your user/password form! Make sure you've got it on your OTP, or someone will come along and brute-force that 6-digit code.
Security Tips
[Tip #109] I get asked this all the time, so it's time to set the record straight: there is nothing insecure about storing your credentials in a .env, as long as you keep your .env protected!