Security Tips
[Tip#60] Stack traces are essential for debugging complex (and even simple) issues, but there is a risk that something sensitive might be exposed within your trace... Let's ensure that doesn't happen!
Security Tips
[Tip#59] It may seem obvious, you'd be surprised just how often I come across websites where debug mode is enabled!
Security Tips
[Tip#58] It's time to upgrade your bcrypt rounds to 12 (or higher)!
Security Tips
[Tip#57] You've heard about SQL Injection and Cross-Site Scripting but what about another big injection avenue: Command Injection? It's less common but just as critical that you're aware of it...
Security Tips
[Tip#56] It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function...
Security Tips
[Tip#55] Let's look at my old buddy time(), who always has something for me during my audits. This time it's helping avoid filename collisions?
Security Tips
[Tip#54] Don't leave domains (or subdomains) pointing at servers or nameservers you don't control, or you might get a copy of the email I just received! 😧
Security Tips
[Tip#53] Accepting File Uploads from your users is always a risky proposal, but have you considered just how easily uploaded files can be used to bypass CSRF and cookie protections?
Security Tips
[Tip#52] HTML has a lot of hidden gems, and the `autocomplete` attribute is no exception. Lets take a look at how it helps your password fields and password managers work together!
Security Tips
[Tip#51] Just because your webhook endpoints aren't listed anywhere (are they?) doesn't mean someone won't find them, and send malicious payloads to your app! You need to validate your webhook payloads!
Security Tips
[Tip#50] Watch out when you mix Resource Controllers and Authorisation with custom Controller Actions and custom routes... you may find you're lacking authorisation without realising it!
Security Tips
[Tip#49] Dev tools are are really helpful, but they are still just dev tools. Don't install them on production... or anywhere world-accessible, if you can avoid it.