Security Tips
Security Tip: Use HMAC Hashes To Verify Data
[Tip#66] For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1.
Weekly security tips that cover the simpler topics, configuration options, tricks, updates, and anything else security related you need to be aware of.
Security Tips
[Tip#66] For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1.
Security Tips
[Tip#65] Before you reach for a hashing function, stop and think about what you're hashing and why you're hashing it...
Security Tips
[Tip#64] Do you know the difference between `e()`, `htmlspecialchars()`, & `htmlentities()`? Can we just use `e()` for everything?
Security Tips
[Tip#63] PHP includes a some really handy security-focused functions, but you need to know how to use them correctly, or you risk leaving a significant vulnerability waiting to be exploited! 😱
Security Tips
[Tip#62] Search engines like to snoop on all of your files, so be careful what you leave lying around.
Security Tips
[Tip#61] While it's tempting to throw everything into logs, keep in mind where your logs end up → plain text files, 3rd party collectors, passed around the development team, etc...
Security Tips
[Tip#60] Stack traces are essential for debugging complex (and even simple) issues, but there is a risk that something sensitive might be exposed within your trace... Let's ensure that doesn't happen!
Security Tips
[Tip#59] It may seem obvious, you'd be surprised just how often I come across websites where debug mode is enabled!
Security Tips
[Tip#58] It's time to upgrade your bcrypt rounds to 12 (or higher)!
Security Tips
[Tip#57] You've heard about SQL Injection and Cross-Site Scripting but what about another big injection avenue: Command Injection? It's less common but just as critical that you're aware of it...
Security Tips
[Tip#56] It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function...
Security Tips
[Tip#55] Let's look at my old buddy time(), who always has something for me during my audits. This time it's helping avoid filename collisions?