valorin

valorin, 4 months ago to random

Anyone else having issues uploading images to phpc.social in the PWA on Android?

The image uploads and then errors out with:
"500 Error processing thumbnail for uploaded media"

@ramsey @phpc

valorin, 4 months ago to Laravel

This is your periodic reminder to keep your dependencies updated.

composer outdated and composer audit are your friends! 🤓

https://securinglaravel.com/p/security-tip-keep-dependencies-updated #Laravel #PHP

valorin, 4 months ago to Laravel

This is your periodic reminder that you shouldn't hardcode admin accounts in your code! ⚠️

You'll end up forgetting to update the list when an admin leaves (or is fired), and someone with malicious intent will get admin permissions...
https://securinglaravel.com/p/security-tip-dont-hardcode-admin #Laravel #PHP

valorin, 4 months ago to Laravel

Ⓣⓡⓐⓝⓢⓛⓘⓣⓔⓡⓐⓣⓘⓞⓝ is a sneaky trick that can be used to bypass rate limiting, blocklists, existence checks, and more, by taking advantage of your database's "helpful" nature...

https://securinglaravel.com/p/security-tip-be-careful-of-transliteration
#Laravel #PHP

valorin, 4 months ago to Laravel

How secure is your staging site?

Staging is often buggy, full of vulnerabilities, and debugging tools, and an easy gateway into your production environment. Make sure you protect it!

[$] https://securinglaravel.com/p/in-depth-protecting-staging-sites

#Laravel #PHP

valorin, 4 months ago to Laravel

How much do you trust the 3rd-party scripts included on your site? Would you know if they changed and a malicious script was added?

Subresource Integrity solves this problem by defining a safe version and preventing any unexpected changes!
https://securinglaravel.com/p/security-tip-subresource-integrity #Laravel #PHP

valorin, 4 months ago to Laravel

The long awaited Missing Authorisation module for Practical Laravel Security is now LIVE! 🎉

This module covers IDORs, broken crypto, exposed routes, and related records, and includes 6 challenges to teach you how to find and exploit these vulnerabilities. 🕵️

The associated defence modules, covering Policies, Gates, Signed URLs, etc, should be coming next week to complete the topic.

Sign up: https://practicallaravelsecurity.com/
Or join the mailing list - I'll send out the details on Monday.
#Laravel #PHP

valorin, 4 months ago to Laravel

Does your login form rate limit requests, or does it let an attacker make as many as they want? 🔓

You need rate limiting to slow down and hinder brute-force and credential stuffing attacks!
https://securinglaravel.com/p/security-tip-rate-limited-logins #Laravel #PHP

valorin, 4 months ago to Laravel

When setting up a password validator, define your default password rules in your AppServiceProvider to keep it consistent and easy to change later.
https://securinglaravel.com/p/security-tip-default-password-rules #Laravel

valorin, 4 months ago to random

I'm surprised by the number of folks who use git guis. I find them so clunky and just slow me down compared to the raw cli. Doing it all via a couple of simple commands is so much more efficient in my eyes. 🤷

valorin, 4 months ago to random

Do you just use git add . when committing changes, and if so, when was the last time you accidently committed a dd() or API key? 🤣

I recommend using git add -p to selectively stage and commit changes - it'll keep those debugging lines out of prod!
https://securinglaravel.com/p/security-tip-selectively-stage-and

valorin, 4 months ago to Laravel

It doesn't matter what front end tooling you use, you need to be careful of what data you send to the browser.

Use Laravel's $hidden or $visible model properties to prevent sensitive info from being leaked!
https://securinglaravel.com/p/security-tip-sensitive-model-attributes
#Laravel #PHP

valorin, 4 months ago to Laravel

In case you missed
Caleb Porzio's announcement - Alpine now has an official CSP-friendly version! 🏆
This version lets you remove unsafe-eval from your CSP through the use of data components.
https://securinglaravel.com/p/security-tip-use-the-alpinejs-csp
https://alpinejs.dev/advanced/csp
#Laravel #PHP

valorin, 4 months ago to random

This just confirms my decision to move off Substack: https://www.platformer.news/p/why-platformer-is-leaving-substack

I don't have an ETA yet. It'll be sometime this year, once I have time to evaluate the options and/or build my own platform.

I have considered tying Securing Laravel and Practical Laravel Security into a bigger thing too, so this might be a good catalyst for that move.

valorin, 4 months ago to Laravel

One of the first things I "fix" in a new Laravel project:
SESSION_SECURE_COOKIE=true

Secure cookies are essential, so make sure they are enabled.

https://securinglaravel.com/p/security-tip-the-cookie-secure-flag
#Laravel #PHP

outofcontrol, 4 months ago to Laravel

Saw this on the #Laravelshift newsletter (admit I mostly signed up for tips at the bottom), and looks like Jason doesn’t post on Mastodon… yet :) so posting here. Have to admit, I’ve had a hankering for something like a .laravel file a few times now.

#laravel #php

valorin, 5 months ago to Laravel

Let's solve XSS with a bit of CSS! 🤓

Next time you think about reaching for nl2br(), reach for a bit of CSS instead: white-space: pre-line;
It'll do the same job without risking XSS sneaking through.
https://securinglaravel.com/p/security-tip-dont-use-nl2br
#Laravel #PHP

valorin, 5 months ago to Laravel

Security is all about adding layers of defence.

If you're using encrypted model casts in Laravel, it's a good idea to define a custom encryption key for model casts, so one key being compromised doesn't affect the others!
https://securinglaravel.com/p/security-tip-custom-encryption-key #Laravel #PHP

valorin, 5 months ago to random

Working on a new package aimed at making secure randomness a bit easier for folks who don't know how to implement some of the common use cases, such as OTPs, passwords with complexity rules, etc.

Still a lot to do, but you can take a peek at: https://github.com/valorin/random

valorin, 5 months ago to random

So, #Substack... 🤦

I really love the platform, and I had hope the leaders would actually grow a f**king conscience, but apparently I was mistaken.

I think I'll need to migrate Securing Laravel somewhere else. No idea where though. 😔

It's been a brutal year and I'm already totally burnt out. I'll migrate in 2024 when I've had a chance to plan it properly.

valorin, 6 months ago to php

We looked at strip_tags() last week, so we're finishing off the set with e(), htmlspecialchars(), & htmlentities() this week! 🤓
Do you know what the difference is, and when you should use each of them? 🤔
https://securinglaravel.com/p/security-tip-escape-output-with-e
#PHP #Laravel