Article 0
It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱 Laravel's new Prohibitable...
View ArticleArticle 0
Do you have sufficient rate limiting on your app? Are your authentication routes covered? What about your API? Can a hacker brute-force your 2FA prompt?Rate limiting is important for a number of...
View ArticleArticle 0
There is a false confidence about mass-assignment vulns that hides how easy it is for them to occur and be exploited. Especially with the `$fillable` property!So to counter it, here's the story of a...
View ArticleArticle 0
I talk about it all the time, so it should come as no surprise that my favourite trick to avoiding XSS with complex HTML output is to use Laravel's HtmlString with {{ ... }}.The less you use {!! ......
View ArticleArticle 0
Starting a new In Depth series on Securing Laravel that I'm VERY excited about. It's also one of my most requested topics. 😄Any guesses?I'll give you a hint: I'm using Chirper as a starting point....
View ArticleArticle 1
Yikes, just bumped past 3,000 words... This puts it in the top 3 for length - it's current at 3,018, so just beat out Magic Emails and IDOR is pretty close. CSPs is still the longest by a significant...
View ArticleArticle 0
Here it is, the first part in a series covering my Laravel Security Audit and Penetration Test process! 🕵️ In part 1, I walk you through the passive scans I always start with, which are guaranteed to...
View ArticleArticle 0
Just woke up to awesome feedback on my latest Securing Laravel article about the first phase of my pentesting process:"I just wanted to say this is probably the most useful newsletter instalment I've...
View ArticleArticle 0
Alright, my Threads is supposedly on the Fediverse now... Ping @valorinsrc - does this work?
View ArticleArticle 8
Do you reset your 2FA secret keys when a user toggles TOTP off/on?It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA...
View ArticleArticle 6
w00t! The Type Juggling and Secure/Strict Comparisons modules are basically done for Practical Laravel Security! 😁It's taken an embarrassingly long time to get back into it, but I'm finally getting...
View ArticleArticle 5
It's live! The Type Juggling module in Practical Laravel Security is out! 🎉Type Juggling may not seem overly important since PHP 8.0 tweaked the rules, but you really need to pay attention to it... I...
View ArticleArticle 4
Now that Type Juggling is done, next up on my list is Injection... how am I going to make PHP Object Injection safe??!! 😱
View ArticleArticle 3
Apparently Copilot is on the same page as me, I wonder what it's challenge ideas are. 🤔
View ArticleArticle 2
Just thought of an awesome 4th challenge for this module, building it now! 😈(Yes, I may be procrastinating from Injection, but it'll be worth it, I promise! 🤞)
View ArticleArticle 1
One of my favourite parts of practicallaravelsecurity.com is the fireworks animation when you complete the final challenge in a module.Oh and unlike in the video, this challenge isn't as easy as just...
View ArticleArticle 0
The 3rd anniversary of Securing Laravel is coming in 2 months, and I have some HUGE plans. 🤐It's gonna be a lot of fun. 😈
View ArticleArticle 2
Friendly reminder about #Laravel Forge and the recently disclosed RegreSSHion CVE-2024-6387 vuln:Forge servers are configured with unattended-upgrades, which automatically applies security updates, so...
View ArticleArticle 1
Want a fun and interactive way to learn about Laravel Security without pesky checklists or boring theory? 🕵️Practical Laravel Security has 28 hands-on challenges (+ more coming), that teach actual...
View Article