Article 3
Account passwords are easy to compromise, so why are you relying on them to verify users within your app? If your users log in with a 2FA Token, then they should be able to prove it before performing...
View ArticleArticle 2
I haven't done a sale on Securing Laravel in a while, and I will be disconnected from the internet until Saturday, so now is the perfect time for a sale, right?? I don't like doing things normally, so...
View ArticleArticle 1
While it's tempting to throw everything into your logs, keep in mind where they end up → plain text files, 3rd party collectors, passed around the dev team, etc... 😱If an attacker can access your logs,...
View ArticleArticle 0
Search engines like to snoop on all of your files, so be careful what you leave lying around. All it takes is a simple Google Dork to find sensitive data in an exposed `.env` and your app will be...
View ArticleArticle 0
What happens if your users lose their MFA tokens, and they never saved their recovery codes? Can you safely give them back access to their...
View ArticleArticle 1
I get this question all the time: Is strip_tags() secure? My answer is always: Yes and No.It depends how and where you use it, so let's take a look at some of the common use cases and...
View ArticleArticle 0
Do you know the difference between `e()`, `htmlspecialchars()`, & `htmlentities()`, and can we just use `e()` for everything?https://securinglaravel.com/security-tip-escape-output-with-e/#Laravel
View ArticleArticle 2
How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?https://securinglaravel.com/security-tip-password-resets-and-mfa/#Laravel
View ArticleArticle 1
Before you reach for a hashing function, stop and think about what you're hashing and why you're hashing it... https://securinglaravel.com/security-tip-do-you-really-need-a/#Laravel
View ArticleArticle 0
For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1! HMAC's are significantly harder to brute-force and don't suffer from collisions...
View ArticleArticle 3
4 years of Securing Laravel! 🎂🎉 120 Security Tips🕵️ 37 In Depth articlesThank you all for the support over the years!https://securinglaravel.com/4-years/#Laravel
View ArticleArticle 2
Friendly reminder: Laravel 11 stops receiving bug fixes on Wednesday! 😱This means you've only got 6 months to upgrade to 12 before security fixes are ended too. Don't put it off or you'll find yourself...
View ArticleArticle 1
As useful as it sounds, nl2br() can potentially leave you open to Cross-Site Scripting (XSS) vulnerabilities... you should reach for CSS...
View ArticleArticle 0
Do you know what information is being leaked by the Referer header when your users click on external links?If you site is public, you might be safe - but what if you have internal apps, or sensitive...
View ArticleArticle 2
Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief!...
View ArticleArticle 1
HTTPS is everywhere & easy, but HTTP is still the default option browsers will attempt when given a raw domain. How do you stop an attacker from abusing this by hijacking the initial HTTP...
View ArticleArticle 0
We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form, it can provide attackers with crucial intel!...
View ArticleArticle 0
Ugh, I hate it when apps switch from Next/Previous Tab switching to Most Recently Used (MRU) switching with Ctrl+Tab! MRU is only logical when you can't see the other tabs, otherwise it's a UX...
View ArticleArticle 1
Sometimes when I sit down to write a Security Tip it comes together so quickly that I'm surprised I hadn't written it sooner. 🤓The one I'm about to publish came together perfectly, including the demo,...
View ArticleArticle 0
Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS!...
View Article