Cryptography

In Depth

In Depth: Laravel Security Audits Top 10 (2024)!

[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.

Security Tips

Security Tip: Disallowing Functions with PHPStan!

[Tip #94] Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions!

Security Tips

Security Tip: Pest's Security Preset & Strict Equality

[Tip #93] Test suites aren't just for raw code expectations, it turns out you can also use them to encourage secure coding practices!

Security Tips

Security Tip: Stop Using MD5 and SHA-1!

[Tip #87] MD5 is like a cockroach - it's persistent and pops up everywhere, but one thing is very clear: you need to stop using it (and SHA-1 too)!

In Depth

In Depth: Graceful Encryption Key Rotation

[In Depth #25] Laravel makes effective use of encryption for security purposes, but what happens if your encryption key needs to be rotated? Let's see how Laravel 11 handles it...

In Depth

In Depth: Introducing Random

[InDepth#22] Random generates cryptographically secure random values in a range of different formats through a simple helper package for PHP.

Security Tips

Security Tip: Use HMAC Hashes To Verify Data

[Tip#66] For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1.

Security Tips

Security Tip: Compare keys with hash_equals()

[Tip#56] It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function...

Newsletter

In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 2)

[InDepth#19] It's time to finish up the "Th1nk Lik3 a H4cker" walkthrough, looking at the rest of the challenges and the final hack from Laracon US!

In Depth

In Depth: What Are Insecure Functions?

[InDepth#16] According to random folks on the internet (i.e. social media), "insecure functions" are a wide and varied concept. Let's take a look at the common themes across the different ideas...

Newsletter

In Depth: Securing Randomness Without Breaking Things

[InDepth#14] Cryptographically secure randomness is important, but so is backwards compatibility...

Security Tips

Security Tip: Laravel's Password Generator

[Tip#37] If you need to generate passwords in your app, it's important to use a cryptographically secure algorithm. Laravel makes this easy by giving us the Str::password() helper!