Article 0
This just confirms my decision to move off Substack: https://www.platformer.news/p/why-platformer-is-leaving-substackI don't have an ETA yet. It'll be sometime this year, once I have time to evaluate...
View ArticleArticle 0
In case you missed Caleb Porzio's announcement - Alpine now has an official CSP-friendly version! 🏆This version lets you remove `unsafe-eval` from your CSP through the use of data...
View ArticleArticle 0
Do you know the difference between in-band and blind SQLi, and why you don't need an error message to extract data through SQLi?I wrote this one a while ago, but it's still one of my favourites. It...
View ArticleArticle 1
Building a dev or test Artisan command that you don't want, or can't risk, running in prod? Disable it! 😎It's better to be paranoid and prevent non-prod code from being able to run in prod, rather than...
View ArticleArticle 0
Really exciting to see Securing Laravel pass the 3k subscribers (free & paid) point! 🥳🎉I never imaged it would go this far, yet here I am, 68 Security Tips and 22 In Depth articles later, and still...
View ArticleArticle 0
Don’t trust user input!Don’t trust user input!And one more for good measure…Don’t trust user input!⚠️ Always pass user input through a validator!...
View ArticleArticle 1
Second attempt with the kids and we finally destroyed the ring, but it was definitely a close one! 🎉#Tolkien#LOTR#LordOfTheRings
View ArticleArticle 0
Heard about the new "Androxgh0st" Malware Targeting Laravel apps? You're only vulnerable if your `.env` file is web-accessible or you have debug-mode enabled.Here's the details:...
View ArticleArticle 0
One of the most important things you need to know when building web apps is how to escape output safely.If someone can get XSS running on your site, they can hijack your user's accounts and do whatever...
View ArticleArticle 0
It doesn't matter what front end tooling you use, you need to be careful of what data you send to the browser.Use Laravel's $hidden or $visible model properties to prevent sensitive info from being...
View ArticleArticle 3
Laravel 9 stops receiving security updates in 15 days...Have you upgraded to 10 yet?https://securinglaravel.com/p/security-tip-use-a-supported-version#Laravel
View ArticleArticle 2
Working on the 'Missing Authorisation' module for Practical Laravel Security and looking through my past audit findings for inspiration, but it's basically all just IDORs everywhere... 😭I gotta think...
View ArticleArticle 1
Copilot is normally pretty useless when I'm writing my challenges, but damn, that's actually a really good one. 🤣
View ArticleArticle 0
Just the Theory page and one more challenge to go and this module will be complete! 🥳The final challenge is going to be a nasty one.
View ArticleArticle 1
Was hoping to have my Missing Authorisation module completed today, but I underestimated how big it would end up being... hopefully tomorrow. 🤞The challenges are going to be a lot of fun, especially...
View ArticleArticle 0
Have you heard about a security.txt file?It's a simple text file you put in `/.well-known/security.txt` that publishes your security contact details, so security folks can report vulnerabilities and...
View ArticleArticle 0
Do you just use `git add .` when committing changes, and if so, when was the last time you accidently committed a `dd()` or API key? 🤣I recommend using `git add -p` to selectively stage and commit...
View ArticleArticle 2
I'm surprised by the number of folks who use git guis. I find them so clunky and just slow me down compared to the raw cli. Doing it all via a couple of simple commands is so much more efficient in my...
View ArticleArticle 1
When setting up a password validator, define your default password rules in your AppServiceProvider to keep it consistent and easy to change...
View ArticleArticle 0
Following on from the git discussion...Who uses Quake mode with their terminal, so it's always accessible with a simple keyboard shortcut?I use Windows Terminal and can summon it instantly with: "Win +...
View Article