From securinglaravel.com
Security Tip: Temporary Local File URLs!
1 1
[Tip #108] Temporary URLs for file access is an essential piece of the security puzzle, which up until recently were only available out-of-the-box for the S3 driver. Now you can easily generate them for local files too!
13h ago
From securinglaravel.com
Security Tip: Type Coercion in Broadcast Routes!
1 1
[Tip #104] It's easy for type juggling to sneak into authorisation callbacks, especially when types are ambiguous, and if you're not careful, you may be leaving a massive hole waiting to be exploited! π±
on Feb 17
From securinglaravel.com
Security Tip: Excluding SVGs from Image Validation!
0 0
[Tip #107] Laravel 12 introduced a seemingly minor change - image validation now excludes SVGs by default. π€ Let's take a look at why this is so important! π€
on Mar 25
From securinglaravel.com
Security Tip: Limiting bcrypt Passwords to 72 Bytes!
0 0
[Tip #106] Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious 500 server errors! π±
on Mar 11
From securinglaravel.com
Security Tip: Run Your CSP in Local Development!
0 0
[Tip #105] These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying colours.
on Feb 24
From securinglaravel.com
In Depth: Common Authorisation Failures!
0 1
[In Depth #34] Let's explore a number of common ways developers fail authorisation in Laravel apps, and what you need to watch out for so you don't make the same mistakes!
on Feb 11
From securinglaravel.com
Security Tip: Don't Roll Your Own Crypto!
0 0
[Tip #103] It's story time! Let's look at the SHA-3 competition as a reminder that crypto is hard... π±
on Feb 4
From securinglaravel.com
Security Tip: Do You Have an Upgrade Plan?
0 0
[Tip #102] In less than 2 weeks, Laravel 10.x will no longer be supported, and PHP 8.1 has less than 12 months left! Do you have an upgrade plan?
on Jan 24
From securinglaravel.com
Security Tip: Should You Limit Password Lengths?
0 1
[Tip #101] Password length limits are often a sign of a legacy backend or insecure hashing, but did you know bcrypt only hashes the first 72 characters? It raises the question, should we be limiting password lengths when using bcrypt too? π€
on Jan 15
From securinglaravel.com
In Depth: Five Ways to Fail at Authentication
0 0
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
on Jan 7
From securinglaravel.com
Security Tip: What If You Hashed Null?
0 0
[Tip #100] One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.
on Dec 17
From securinglaravel.com
Security Tip: Please Stop Hardcoding Admin Domains!
0 0
[Tip #99] Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me! π
on Dec 11
From securinglaravel.com
Security Tip: Watch Out for Type Juggling
0 0
[Tip#26] Type Juggling is still very much a problem.
on Dec 4
From securinglaravel.com
Security Tip: strip_tags() Won't Save You from XSS!
0 0
[Tip #98] XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe...
on Dec 3
From securinglaravel.com
Security Tip: Use Route Groups!
0 0
[Tip#24] It may sound trivial, but it's easy to overlook.
on Nov 27
From securinglaravel.com
Black Friday 2024: Exclusive Laravel Security Deals! π
0 0
The end of the year is approaching far too quickly! I can't believe it's already the end of November, which means it's time for the traditional Securing Laravel Black Friday Sale! This year I'm offering my usual 25% off a new Premium subscription, but I'm also trying out a new
on Nov 26
From securinglaravel.com
Security Tip: Be Intentional with Your Outputs!
0 0
[Tip #97] XSS loves to sneak into your apps when you're not paying attention, so you need to be intentional with your outputs and think about every piece of user input you're using in your apps!
on Nov 25
From securinglaravel.com
Laravel Security Notice: Laravel Environment Manipulation via Query String
0 0
[Notice #3] Update your Laravel version and ensure `register_argc_argv` is disabled non-CLI commands!
on Nov 19
From securinglaravel.com
In Depth: Laravel Security Audits Top 10 (2024)!
0 0
[In Depth #31] Here are the Top 10 security issues I've found during my security audits, highlighting the areas we as a community need to improve our security.
on Nov 15
From securinglaravel.com
Security Tip: Cryptographically Secure Randomness
0 0
[Tip#19] Because all randomness should be cryptographically secure.
on Nov 13
From securinglaravel.com
Security Tip: Keep Dependencies Updated
0 0
[Tip#18] Dependencies are security risks, especially if you have a lot of them or don't keep them updated...
on Nov 13
From securinglaravel.com
Security Tip: Don't Hardcode Admin Emails
0 0
[Tip#17] It's easy to forget to update the admins list when it changes...
on Nov 12
From securinglaravel.com
Security Tip: Ensure Your App Requires HTTPS!
0 0
[Tip #96] Encryption is essential, but you can't just install a certificate and go about your day... Secure those cookies, redirect from HTTP, and HSTS FTW! π
on Nov 8
From securinglaravel.com
Security Tip: Avoid Open Redirects!
0 0
[Tip#16] Ever clicked a link that looked legitimate, but took you somewhere unexpected?
on Nov 6
From securinglaravel.com
Security Tip: Be Careful Of Transliteration
0 0
[Tip#15] Because we don't already have enough to worry about, without also needing to factor in other characters and emoji too...
on Nov 5
From securinglaravel.com
0 0
I'm speaking at Laracon AU on Thursday 7th November at 10:05 AM, presenting a brand new talk, "Bulletproof Coding: Essential Cybersecurity" (aka Practical Security)! Come along and join the fun as I hack more stuff live on stage, and hopefully scare you into writing more secure code! π As is
on Nov 4
From securinglaravel.com
Security Tip: Should You Block Compromised Passwords?
0 0
[Tip#13] Blocking Compromised (Pwned) Passwords forces your users to use strong passwords, but is it the right choice for your app?
on Oct 23
From securinglaravel.com
Security Tip: Disallowing Functions with PHPStan!
0 0
[Tip #94] Just like we can detect insecure functions with Pest, we can use PHPStan extensions to find and disallow insecure functions!
on Oct 21
From securinglaravel.com
Security Tip: Default Password Rules
0 0
[Tip#11] Why duplicate password validation rules across your app when you can define defaults once?
on Oct 18
From securinglaravel.com
Security Tip: Rate Limit Your Login Forms!
0 0
[Tip#12] It's easy to guess passwords if your app doesn't rate limit attempts...
on Oct 18
From securinglaravel.com
Security Tip: Selectively Stage and Commit Changes
0 0
[Tip#10] You should always selectively stage changes, to avoid committing secrets or debug code and pushing to prod.
on Oct 18
From securinglaravel.com
In Depth: Pentesting Laravel part 4 - Reading Code Pays Off!
0 0
[In Depth #30] In the final part of the series, we finish our code searches and spend some time reading the code - which really pays off in terms of finding juicy vulnerabilities to exploit and report.
on Oct 17
From securinglaravel.com
Security Tip: Publish a security.txt!
0 0
[Tip#9] security.txt is a simple way to share your security contacts to make vulnerability reporting easier.
on Oct 10
From securinglaravel.com
Security Tip: The Cookie βSecureβ Flag
0 0
[Tip#5] Don't forget to configure your cookies for to only work over HTTPS.
on Oct 9
From securinglaravel.com
Security Tip: Sensitive Model Attributes
0 0
[Tip#8] We need to be careful of sensitive data and where it gets passed around, especially when it relates to models and Javascript.
on Oct 8
From securinglaravel.com
Security Tip: Pest's Security Preset & Strict Equality
0 0
[Tip #93] Test suites aren't just for raw code expectations, it turns out you can also use them to encourage secure coding practices!
on Oct 7
From securinglaravel.com
Security Tip: Donβt Trust User Input!
0 0
[Tip#7] Always pass user input through a validator to ensure you only get the data you're expecting.
on Oct 2
From securinglaravel.com
Security Tip: Retrieving Request Values
0 0
[Tip#40] Let's complete the set of request input helpers and their security implications
on Oct 2
From securinglaravel.com
Security Tip: Avoiding XSS with HtmlString
0 1
[Tip#44] Checkout that one simple trick... I mean... This is my favourite way to avoid XSS.
on Sep 29
From securinglaravel.com
In Depth: Pentesting Laravel part 1 - Passive Scans
0 0
[In Depth #27] Let me walk you through my process of conducting a Laravel Security Audit and Penetration Test, starting with the passive scans that usually find a lot of low-hanging fruit!
on Sep 28
From securinglaravel.com
Security Tip: Auto-Secure Cookies FTW! π
0 0
[Tip #92] One of my personal pet peeves in Laravel has finally been fixed! The Secure cookie attribute will now match the request protocol! π (I'm excited, can you tell?)
on Sep 27
From securinglaravel.com
Security Tip: Security Headers are Layers of Defence
0 0
[Tip#46] Security headers add important layers of defence to your apps, preventing data leaks, XSS and CSRF attacks, clickjacking, and more... Why are you leaving your apps unprotected?
on Sep 27
From securinglaravel.com
3 years of Securing Laravel! π
0 0
Thank you for 3 incredible years of security in the Laravel community!
on Sep 26
From securinglaravel.com
Security Tip: Why Parameterised Queries Are Important!
0 0
[Tip#4] We're following the theme of reminders for simple features that are easy to overlook with a reminder to use Parameterised Queries!
on Sep 25
From securinglaravel.com
Security Tip: Store Sensitive Config in .env!
0 0
[Tip#3] Laravel's config files are great, but don't forget to put sensitive values (i.e. secrets, passwords, tokens, etc) in your .env file!
on Sep 25
From securinglaravel.com
Security Tip: Parameterise your Parameter Names!
0 0
[Tip #91] aka yet another example for why you should Never Trust User Input!
on Sep 20
From securinglaravel.com
Security Tip: Getting Started with Content Security Policies
0 0
[Tip#47] Setting up a CSP doesn't have to be a daunting task! Let's take a look at a tips for getting started with CSPs, without breaking anything!
on Sep 19
From securinglaravel.com
Security Tip: Don't Forget About Policy Filters!
0 0
[Tip#2] Policy Filters let you implement shared authorisation checks across your entire policy without repeating code in every method.
on Sep 19
From securinglaravel.com
Security Tip: Custom Encryption Keys for Cast Model Attributes
0 0
[Tip#1] A simple but quite important tip, how to use a custom encryption key for encrypted casting within Models.
on Sep 18