Article 1
Let's check out three of the configuration options available as part of Laravel 11's Automatic Password Rehashing: custom fields, disabling rehashing, and changing bcrypt...
View ArticleArticle 2
Finally bit the bullet and started to restructure Practical Laravel Security. It always felt disjointed having different sections and theory pages - like massive data dumps - alongside the challenges,...
View ArticleArticle 1
The attacking and defending theory will exist around the challenges - introducing the challenges and through hints, with defences after.It's funny, I chose to not do videos to make it easier to build....
View ArticleArticle 0
I've still a lot of work to do to get it finished - life has been brutal and chaotic for the past two years and sucked up virtually all of my non-client time, but I'm feeling really excited about this...
View ArticleArticle 3
Anyone else find submitting ECE credits on EC-Council to be an absurdly painful experience? The form refuses any non-alphanum characters for some insane reason, and paste clears everything.Also, first...
View ArticleArticle 2
Signed URLs are still one of my favourite Laravel features. I've seen them used for so many interesting and creative purposes - they make a complex security control trivial.[$]...
View ArticleArticle 1
Just realised Securing Laravel recently passed 3,500 subscribers! 🎉I never imagined it'd grow that large, or that there'd be that many people interested in what I have to say about Laravel...
View ArticleArticle 0
Do you use Encrypted Environment files in Laravel?I think they are great for some special use cases, but given the prevalence of API keys and credentials found in repos, is it worth it to use them all...
View ArticleArticle 1
Getting closer to migrating Securing Laravel to Ghost, but now there is a new issue: Substack manage the Stripe account, so I can't link Ghost to import subscribers.Hopefully there is an easy fix. 🤞
View ArticleArticle 0
We often talk about validating user input from the browser, but what about user input on the command line? Validation is just as useful there...
View ArticleArticle 5
It's easy to make innocent changes to one part of your app and forget to check how that flows into other parts of your app... Such as leaking sensitive data that you thought was protected!...
View ArticleArticle 4
The Securing Laravel migration to Ghost saga continues...Apparently I'm one of the lucky few who had their Stripe accounts locked to Substack. 🤦I'm really worried Substack will do something stupid like...
View ArticleArticle 3
Magic Emails, i.e. OTP codes and unique links, are a fun topic to dive into, and I've seen them implemented in so many different ways...Here's how I do it:[$]...
View ArticleArticle 2
Doesn't look like the migration will be happening this week. 😔Currently in a game of 3-way email tennis between Substack and Ghost, with timezones giving a 48-hour round-trip! Ghost want Substack to...
View ArticleArticle 1
Hey #infosec folks, would you consider CSS Click-jacking to be XSS? It's definitely an injection attack, but it's not a script as such. I'm unsure how strict the definition of XSS is.(( By CSS...
View ArticleArticle 0
I can always tell I'm working with a client who knows security well (and subscribes to my mailing list!) when I'm having to dig out obscure and fun vulnerabilities like CSS Click-jacking. 😈
View ArticleArticle 2
My first full-time dev job was building a domain name registration system, so I'm very good at sniffing out domain scams.🧐I received an suspicious looking email yesterday, so let's see how far I can...
View ArticleArticle 1
My belief that this is a scam was justified when this email arrived. (I'll call them SL and ZN.)ZN wants to use 'securinglaravel', and SL has advised against it, but ZN is just going to ignore SL's...
View Article