Security Tips
Security Tip: Privilege Escalation Through Domain Wildcards!
[Tip #80] It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin!
Security Tips
Security Tip: Only Use env() Within Config Files
[Tip #79] It may be tempting to reach for env() outside your config files, but you may be introducing subtle bugs, or exposing your app to compromise...
Security Tips
Security Tip #78: Laravel 11's Per-Second Rate Limiting
Up until now, Laravel has only supported rate limiting per-minute, but that didn't work in some scenarios, as a minute is a very long time. To solve this, Laravel 11 supports per-second!
Security Tips
Security Tip #77: Laravel 11's Prompt Validation Rules
We often talk about validating user input from the browser, but what about user input on the command line? Validation is just as useful there too!
Security Tips
Security Tip #76: Laravel 11's Automatic Password Rehashing
Let's check out three of the configuration options available as part of Automatic Password Rehashing: custom fields, disabling rehashing, and changing bcrypt rounds.
Security Tips
Security Tip: Laravel 11's Controller Authorisation & Validation Methods
[Tip#75] As part of the simplification of the app structure in Laravel 11, the Request Authorisation and Validation methods are no longer available on the controller - here's how you get it back.
Security Tips
Security Tip: Laravel 11's Middleware Configuration
[Tip#74] Laravel 11 shifts the default middleware into the framework itself and exposes configuration through the bootstrap/app.php class.
Security Tips
Security Tip: A Well-Known URL for Changing Passwords
[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!
Security Tips
Security Tip: Don't Forget Your Registration Form!
[Tip#72] We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form... it can provide attackers with crucial intel!
Security Tips
Security Tip: Keep Your Tools Updated!
[Tip#71] We talk a lot about keeping our app dependencies updated, but we can't forget our tools like Composer also need updates too!
Security Tips
Security Tip: Fix Your Leaky APIs!
[Tip#70] This is your periodic reminder to check your app for any leaky APIs and fix them ASAP, otherwise you might end up with an email from Have I Been Pwned's Troy Hunt...
Security Tips
Security Tip: Use a Supported Version of Laravel!
[Tip#69] Are you using Laravel 10? If not, do you have an upgrade planned? If you're not on 10, your app may be at risk!
Security Tips
Security Tip: Use the Alpine.js CSP Build!
[Tip#68] If you use Alpine and a CSP on your app, you'll want to use the new CSP-friendly build to avoid needing `unsafe-eval` in your policies.
Security Tips
Security Tip: Don't Use nl2br()!
[Tip#67] As useful as it sounds, nl2br() can potentially leave you open to Cross-Site Scripting (XSS) vulnerabilities... you should reach for CSS instead!
Security Tips
Security Tip: Use HMAC Hashes To Verify Data
[Tip#66] For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1.
Security Tips
Security Tip: Do You Really Need a Hash for That?
[Tip#65] Before you reach for a hashing function, stop and think about what you're hashing and why you're hashing it...