Article 0
I talk about it all the time, so it should come as no surprise that my favourite trick to avoiding XSS with complex HTML output is to use Laravel's HtmlString with {{ ... }}.The less you use {!! ......
View ArticleArticle 1
Ok #Laravel folks, without looking anything up, what do you think this code does?Broadcast::channel('users.{id}', function (User $user, $id) { return (bool) $user->id == $id;});
View ArticleArticle 0
I'll be diving into this in my next Security Tip over at https://securinglaravel.com, sign up so you don't miss it. This is a *really* fun one. 😈
View ArticleArticle 3
Had a wide range of responses to my code question (https://phpc.social/@valorin/113999349390860081), and unsurprisingly a lot of folks aren't fully aware of how PHP handles precedence, and why brackets...
View ArticleArticle 2
I've had a few "ad companies" reach out about ads/sponsorships on Securing Laravel, so let me be clear: I'm not interested in a third-party managing any content on SL.But it got me thinking, are there...
View ArticleArticle 1
The more dependencies your project has, the higher your risk of supply-chain attack is, and the less you're aware of what code is actually running. My recommendation: Replace simple dependencies with...
View ArticleArticle 1
These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying...
View ArticleArticle 0
Running my first "Let's Hack!" Laravel workshop for an awesome Aussie team tomorrow! 🎉It's based around "Th1nk Lik3 a H4cker", but I've added more challenges and twists, so even if they've studied,...
View ArticleArticle 0
I probably won't be online much this week, we were supposed to be travelling for a family funeral, but instead we're preparing the house for incoming Cyclone Alfred! 😧It's not on a direct course, but...
View ArticleArticle 4
It's been a week, so a quick update: We managed to avoid any damage or loss of power/internet during the cyclone, but the prep work and kids at home meant I didn't get any work time, so I missed last...
View ArticleArticle 3
Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious...
View ArticleArticle 2
Ok folks, repeat after me: Do not turn on debug mode in production!Do not turn on debug mode in production!Do not turn on debug mode in production!Do not turn on debug mode in production!Do not turn on...
View ArticleArticle 1
Ok, fine. This is actually XSS and not specifically related to debug mode. 🤷Therefore... Repeat after me:Escape your outputs!Escape your outputs!Escape your outputs!Escape your outputs!
View ArticleArticle 0
Long overdue, but I finally tagged v1.0 of valorin/random! 🎉The only significant change is removing string support in pick(), and returning the same type. The rest is pretty stable, and works from PHP...
View ArticleArticle 1
This is gonna be a fun one! 🤓 If you have any security questions about the new Laravel Starter Kits, let me know and I'll try to fit it in!
View ArticleArticle 0
Unexpected benefit of Laravel Cloud - spinning up test apps for vulnerability scanning. 😈
View ArticleArticle 0
Sorry folks, I'll have to delay my In Depth on the Starter Kits until next week. I'm 4k words deep into it so far (and somehow only covered the first?! 😲) but a few things outside my control mean I...
View ArticleArticle 1
Laravel 12 introduced a seemingly minor change: image validation now excludes SVGs by default. 🤔 Let's take a look at why this is so important!...
View ArticleArticle 0
I don't normally post JS stuff, but CVE-2025-29927 is a whole lot of fun!"it was possible to skip running Middleware, which could allow requests to skip critical checks—such as authorization cookie...
View Article