Article 0
The Lord of the Rings. Extended Editions.Marathon.Cinema.12 hours. I'm very excited!
View ArticleArticle 2
The more dependencies your project has, the higher your risk of supply-chain attack is, and the less you're aware of what code is actually running. My recommendation: Replace simple dependencies with...
View ArticleArticle 1
Over the past couple of years, someone has randomly typo'ed their email address as one of mine (stephen@<provider>.com). It's never been a problem until now... They are trying SO HARD to sign up...
View ArticleArticle 0
Laravel Security Tip: Do You Have a Permissions Policy?What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable...
View ArticleArticle 0
Security headers add important layers of defence to your apps, preventing data leaks, XSS and CSRF attacks, clickjacking, and more... So why are you leaving your apps...
View ArticleArticle 0
Setting up a CSP doesn't have to be a daunting task! Let's take a look at a tips for getting started with CSPs, without breaking...
View ArticleArticle 0
We write tests for everything else, so why not write tests for authorisation as well?https://securinglaravel.com/security-tip-test-for-missing-authorisation/#Laravel
View ArticleArticle 1
I'll be including some early subscriber-only details in Wednesday's Securing Laravel email about the big 3rd birthday competition I'm working on. 🤐I'd suggesting subscribing now so you don't miss any...
View ArticleArticle 0
The first piece of the challenge is ready, and my security tip for Wednesday is scheduled! I guess I'm doing this! 😎Make sure you sign up at https://securinglaravel.com to join in the fun!#Laravel
View ArticleArticle 1
Dev tools are are really helpful, but they are still just dev tools. Don't install them on production, or anywhere world-accessible, if you can avoid...
View ArticleArticle 0
Am I the only one who reads PRs from the bottom to top?It sounds strange, but scrolling to the bottom, and reading up, collapsing as I go, just works best for my brain. 🤷
View ArticleArticle 2
Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually...
View ArticleArticle 1
Don't mind me... I'm just staring at an empty analytics dashboard waiting for someone to solve the clue I put in the last Securing Laravel email... It just leads to a secret birthday challenge page......
View ArticleArticle 0
Don't mind me, I'm just the idiot who forgot to test the secret page after enabling HTTPS... it should be working now. 🤦Off to a great start with this challenge. 🤣🤡
View ArticleArticle 2
Watch out when you mix Resource Controllers and Authorisation with custom Controller Actions and custom routes... you may find you're lacking authorisation without realising...
View ArticleArticle 1
Just because your webhook endpoints aren't listed anywhere (are they?) doesn't mean someone won't find them, and send malicious payloads to your app! You need to validate your webhook...
View ArticleArticle 0
Nice work Google... For some reason, this just feels like a phishing email. 🧐
View ArticleArticle 2
Part Two of my Pentesting Laravel series on Securing Laravel is due out in a few hours - it'll be a little bit late. There is still a bit to cover, and I need to get the birthday challenge page up too!...
View Article