Article 0
Ok folks, time for a little poll... Is Markdown safe to use for user input?#Laravel#PHPYep! 👍Nope! 👎
View ArticleArticle 0
It's not just your app dependencies that need to be maintained and updated, but also the tools you use every day - such as Composer, which recently fixed a High severity security risk!...
View ArticleArticle 2
For [redacted] reasons, I've been dealing with a lot of passwords recently, so now feels like a good time to post this one. 🤓My guide to rehashing passwords, both legacy and modern:[$]...
View ArticleArticle 1
There are many ways to structure your access control, but my preferred method is to use Route Groups. Keeping everything in one place makes it much easier to review your permissions, and much harder to...
View ArticleArticle 0
Do you log login attempts in your app? 🤔Both successes and failures? 😯Why not? 😧https://securinglaravel.com/p/security-tip-login-logging#Laravel#php
View ArticleArticle 0
We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form... it can provide attackers with crucial intel!...
View ArticleArticle 2
Parents will be familiar with the “brush your teeth” dance: you ask your kids to brush their teeth, they spend exactly 5 ms in the bathroom, and are surprised when you know they are lying!This same...
View ArticleArticle 1
In my opinion, type juggling is one of PHP’s strengths, but also one of PHP’s easily exploitable weaknesses... It's also the root cause of one of my favourite (and most lucrative) hacking tricks!...
View ArticleArticle 0
No Windows, "this PC" is mine and no one is taking it from me, so I sure as hell won't recommend it to anyone.But if you'd asked if I recommend Windows 11 or my beloved ThinkPad X1C? Then yes, 100%...
View ArticleArticle 1
Having a bit of fun with my next In Depth article with some terrible examples. 🤓Can you guess the topic?
View ArticleArticle 0
New Securing Laravel In Depth: Registration Without Enumeration!In which I proceed to turn Laravel's leaky Breeze registration form into an enumeration-free zone with some terrible examples![$]...
View ArticleArticle 1
Laravel's Policy Objects are awesome, but did you know they can leak information? The difference between a 403 and a 404 can tell you a lot about an...
View ArticleArticle 0
When was the last time you ran `composer audit`, and did it say "No security vulnerability advisories found."?If not, you've got some work to...
View ArticleArticle 0
I wrote a non-Laravel-specific thing!You never know what data is going to be useful, so your API should return as much data as possible, right? Right??...
View ArticleArticle 1
You may have heard of the `/.well-known/` path, and the `security.txt` file, but there is a new one called `change-password` you should be aware of too! 🤓(Spoiler: It tells password managers where your...
View ArticleArticle 0
Still a lot to do before Dropbear will be ready for an actual usable release, but I've been spending some time cleaning up the scanner output, and I'm really loving it. 🥰I'm thinking of opening it up...
View ArticleArticle 0
Dropbear subdomain scanner is now looking pretty too. 🤩 It also gave me a big kick to get rid of those old Fathom subdomains! 🤣I don't use this one often, but it does uncover some fun stuff...
View ArticleArticle 2
Given the #Laravel 11 release last week, I'm starting a new series on Securing Laravel today, covering all of the new and updated security features in the framework.Subscribe 👉...
View Article