Article 2
Do you have sufficient rate limiting on your app? Are your authentication routes covered? What about your API? Can a hacker brute-force your 2FA prompt?Rate limiting is important for a number of...
View ArticleArticle 1
There is something disturbing about AI options in Microsoft Notepad... but also kinda fun. 🤣
View ArticleArticle 0
I talk about it all the time, so it should come as no surprise that my favourite trick to avoiding XSS with complex HTML output is to use Laravel's HtmlString with {{ ... }}.The less you use {!! ......
View ArticleArticle 1
Ok #Laravel folks, without looking anything up, what do you think this code does?Broadcast::channel('users.{id}', function (User $user, $id) { return (bool) $user->id == $id;});
View ArticleArticle 0
I'll be diving into this in my next Security Tip over at https://securinglaravel.com, sign up so you don't miss it. This is a *really* fun one. 😈
View ArticleArticle 3
Had a wide range of responses to my code question (https://phpc.social/@valorin/113999349390860081), and unsurprisingly a lot of folks aren't fully aware of how PHP handles precedence, and why brackets...
View ArticleArticle 2
I've had a few "ad companies" reach out about ads/sponsorships on Securing Laravel, so let me be clear: I'm not interested in a third-party managing any content on SL.But it got me thinking, are there...
View ArticleArticle 1
The more dependencies your project has, the higher your risk of supply-chain attack is, and the less you're aware of what code is actually running. My recommendation: Replace simple dependencies with...
View ArticleArticle 1
These are my top 3 tips for getting started with a Content Security Policy - as proven by a friend who went from failing security scans to passing with flying...
View ArticleArticle 0
Running my first "Let's Hack!" Laravel workshop for an awesome Aussie team tomorrow! 🎉It's based around "Th1nk Lik3 a H4cker", but I've added more challenges and twists, so even if they've studied,...
View ArticleArticle 0
I probably won't be online much this week, we were supposed to be travelling for a family funeral, but instead we're preparing the house for incoming Cyclone Alfred! 😧It's not on a direct course, but...
View ArticleArticle 4
It's been a week, so a quick update: We managed to avoid any damage or loss of power/internet during the cyclone, but the prep work and kids at home meant I didn't get any work time, so I missed last...
View ArticleArticle 3
Laravel 12 gives us the ability to reject passwords longer than 72 bytes for bcrypt, but you need to turn it on manually. Oh, and don't forget to add a validation rule, or you'll be throwing suspicious...
View ArticleArticle 2
Ok folks, repeat after me: Do not turn on debug mode in production!Do not turn on debug mode in production!Do not turn on debug mode in production!Do not turn on debug mode in production!Do not turn on...
View ArticleArticle 1
Ok, fine. This is actually XSS and not specifically related to debug mode. 🤷Therefore... Repeat after me:Escape your outputs!Escape your outputs!Escape your outputs!Escape your outputs!
View ArticleArticle 0
Long overdue, but I finally tagged v1.0 of valorin/random! 🎉The only significant change is removing string support in pick(), and returning the same type. The rest is pretty stable, and works from PHP...
View ArticleArticle 1
This is gonna be a fun one! 🤓 If you have any security questions about the new Laravel Starter Kits, let me know and I'll try to fit it in!
View ArticleArticle 0
Unexpected benefit of Laravel Cloud - spinning up test apps for vulnerability scanning. 😈
View ArticleArticle 0
Sorry folks, I'll have to delay my In Depth on the Starter Kits until next week. I'm 4k words deep into it so far (and somehow only covered the first?! 😲) but a few things outside my control mean I...
View Article