Audits Top 10

Security Tips

Security Tip: Do You Have an Upgrade Plan?

[Tip #102] In less than 2 weeks, Laravel 10.x will no longer be supported, and PHP 8.1 has less than 12 months left! Do you have an upgrade plan?

Security Tips

Security Tip: Please Stop Hardcoding Admin Domains!

[Tip #99] Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me! 😈

Security Tips

Security Tip: strip_tags() Won't Save You from XSS!

[Tip #98] XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe...

Security Tips

Security Tip: Be Intentional with Your Outputs!

[Tip #97] XSS loves to sneak into your apps when you're not paying attention, so you need to be intentional with your outputs and think about every piece of user input you're using in your apps!

In Depth

In Depth: Laravel Security Audits Top 10 (2024)!

[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.

In Depth

In Depth: Storing Environment Variables Safely

[InDepth#17] Let's dive deep into the wonderful world of storing environment variables safely, looking at the different options Laravel supports and some "industry best practices".

Security Tips

Security Tip: Test for Missing Authorisation

[Tip#48] We write tests for everything else, so why not write tests for authorisation as well?

Security Tips

Security Tip: Getting Started with Content Security Policies

[Tip#47] Setting up a CSP doesn't have to be a daunting task! Let's take a look at a tips for getting started with CSPs, without breaking anything!

Security Tips

Security Tip: Security Headers are Layers of Defence

[Tip#46] Security headers add important layers of defence to your apps, preventing data leaks, XSS and CSRF attacks, clickjacking, and more... Why are you leaving your apps unprotected?

In Depth

In Depth: What Are Insecure Functions?

[InDepth#16] According to random folks on the internet (i.e. social media), "insecure functions" are a wide and varied concept. Let's take a look at the common themes across the different ideas...

Security Tips

Security Tip: Replace Simple Dependencies

[Tip#45] The more dependencies your project has, the higher your risk of supply-chain attack is, and the less you're aware of what code is actually running...

Security Tips

Security Tip: Avoiding XSS with HtmlString

[Tip#44] Check out that one simple trick... I mean... This is my favourite way to avoid XSS.