Article 3
w00t! Securing Laravel has hit 4,000 subscribers! 🎉Thanks for all the support over the last 4 years, you give me the momentum to keep writing each week.To celebrate, I've hidden a suitable premium...
View ArticleArticle 2
The recently patched XSS in CommonMark's Attributes extension offers an interesting look at what happens when two different features conflict, one being a security feature, the other a knowingly...
View ArticleArticle 1
Accepting File Uploads from your users is always a risky proposal, but have you considered just how easily uploaded files can be used to bypass CSRF and cookie...
View ArticleArticle 0
I just achieved the impossible and found a really cool 8-character .com domain available to registered. Now I just need to build that side-project to go with it. 🤣
View ArticleArticle 3
Let's take a dive into the security of Laravel's new Starter Kits to see how they handle authentication, what security features they include, and what areas could be improved! 🤓(This is part 1, I only...
View ArticleArticle 2
It's comments like these that make all the work I put into my big articles like https://securinglaravel.com/in-depth-a-deep-dive-into-laravels-new-starter-kits-pt-1/ so worth it! 🥰
View ArticleArticle 1
I've been considering this for a while, so it's time to throw it out into the world...Securing Laravel is now open to sponsorships! 🎉Your company can sponsor my weekly Security Tips, supporting my work...
View ArticleArticle 0
Just bypassed CloudFlare Access on a client's site! 😈Ask Me Anything!Note, my NDA prevents me from answering anything even vaguely relevant, but feel free to ask... 🤣
View ArticleArticle 0
I miss the days when TV shows had more episodes, smaller budgets, and space to breathe. Wheel of Time was an incredible show, but 8 eps per season wasn't enough, and the "expectations of success" were...
View ArticleArticle 0
Ok Aussie & NZ friends, would anyone be interested in coming to a half or full day security workshop in Brisbane the week before #LaraconAU (i.e. Mon, Tues, or Wed)? 🤓If there is enough interest,...
View ArticleArticle 0
Excited to report that I've had a lot of interest for a Laravel Security Workshop at Laracon AU, so I'm looking into venues for a half-day on Wed morning (12th Nov), so you just have to come a day...
View ArticleArticle 1
On the subject of Laravel Security Workshops, any companies in the EU or UK interested in an in-person workshop for their team? I'm hoping to book a few around Laravel Live Denmark. 🤓I've transformed...
View ArticleArticle 0
So many spinning plates at the moment, between trying to organise workshops, trips, sponsors, audit/pentest clients, etc... 🥴To keep up with all I'm doing, sign up to https://securinglaravel.com. The...
View ArticleArticle 0
It may seem like a harmless debugging tool, with a bunch of boring config values and version numbers, but phpinfo() is a goldmine of sensitive data - even when it's "protected" in an admin account!...
View ArticleArticle 2
It may be tempting to reach for env() outside your config files, but you may be introducing subtle bugs, or exposing your app to compromise......
View ArticleArticle 1
"Don't Roll Your Own Crypto" applies to password generators too! It's way too easy to unknowingly lower your entropy by trying to be clever......
View ArticleArticle 0
It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin!...
View ArticleArticle 0
Starting to lock in details for the Pre-Laracon Security workshop in Brisbane! 🎉It'll be the morning of Wednesday 12th November - the day before Laracon AU, at a venue really close to the...
View ArticleArticle 3
This is your periodic reminder to check your app for any leaky APIs and fix them ASAP, otherwise you might end up with an email from Have I Been Pwned's Troy...
View ArticleArticle 2
That one time I had a domain hijacked... aka don't leave domains (or subdomains) pointing at servers or nameservers you don't control!...
View Article