Article 3
Monday morning thought: Is dark mode is the reason UIs suck?Before dark mode, UIs would use the full range of contrasting colours. Now UIs are either washed out dull colours with no contrast (light) or...
View ArticleArticle 1
XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe......
View ArticleArticle 0
Laravel makes authentication easy, but do you know who’s logging in? 🤔Tracking login events is essential for identifying suspicious activity, debugging issues, and auditing your app’s security. Make...
View ArticleArticle 0
In my opinion, type juggling is one of PHP’s strengths, but it can also one of PHP’s easily exploitable weaknesses... especially in an API. 😈Make sure you're using strict comparisons, or you're leaving...
View ArticleArticle 0
Observing the existence of something you can't access still tells you something important, even if you can't access it. 🕵️In other words: be intentional with your status codes, they may be leaking more...
View ArticleArticle 0
Let me tell you a story about a time when a single missing character allowed me to escalate my privileges and gain admin access, despite all the protections designed to stop me!...
View ArticleArticle 0
One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.In a recent audit, I found myself...
View ArticleArticle 0
Just realised I missed last week's Securing Laravel email! My first missed week! 😧2024 was a brutally hard year, and after finishing client work the week before Christmas, I crashed hard and am only...
View ArticleArticle 3
Working on my long-overdue In Depth for Securing Laravel, and I've got a really fun topic to cover this time: Top Authentication Fails.I'm covering examples of terrible auth I've come across, usually...
View ArticleArticle 2
I may or may not be trolling... 😇(But seriously, this probably wouldn't have happened in MySQL...)
View ArticleArticle 1
Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication...
View ArticleArticle 0
When was the last time you ran `composer audit` on your app? 🧐https://securinglaravel.com/security-tip-composer-audit/#Laravel#PHP
View ArticleArticle 1
An often overlooked aspect to securing your customer data revolves around third-party APIs and prod API keys. Consider what would happen if you had prod keys on staging/dev and accidently ran a...
View ArticleArticle 0
On the subject of protecting third-party APIs and customer data, where do you store your API keys and credentials? Hopefully not committed into git, right?? 🤨Trufflehog and Gitleaks are my go-to tools...
View ArticleArticle 0
Canary Tokens are one of those tools I am always amazed no one uses. They are so easy to use, and completely free, and but I never see them in the wild. 🧐Check them out:...
View ArticleArticle 1
Can I turn off the enemies in Factorio?I've only got the demo so far, so I'm hoping it's a feature in the full version, but if I always need to balance building with fighting off attacks, it's way less...
View ArticleArticle 0
Sometimes a single rate-limit just won't do the job. Luckily, Laravel lets us define multiple, so we can mix-and-match.https://securinglaravel.com/security-tip-multiple-rate-limits/(Protip: Don't...
View Article