Tempest 3.0
Tempest 3.0 has been released with a new exception handler, PHP 8.5 as minimum requirement, improved CSRF protection using browser headers, database performance improvements, and closure-based validation rules.
Read more [tempestphp.com]
Stopping Laravel SQL Injection with sole()
While parameterized queries are the preferred method, sole() adds an extra layer of protection when using raw queries, especially when only one record should match.
Read more [aaronsaray.com]
Join 9,500+ smart developers
Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.
No spam. Unsubscribe anytime. You can also follow me on X.
"Always fresh, useful tips and articles. Carefully selected community content. My favorite newsletter, which I look forward to every time."
Convenient Content Security Policies with Spatie Laravel CSP 3 Presets
Shawn Hooper enjoys the new presets we recently added to our Laravel CSP package.
Read more [shawnhooper.ca]
How to monitor your Laravel app for critical vulnerabilities original
A critical security vulnerability was just disclosed for Livewire v3, as Stephen Rees-Carter wrote about on Securing Laravel. The vulnerability (CVE-2025-54068) allows unauthenticated attackers to achieve remote code execution in specific scenarios. What makes this particularly concerning is that exploitation doesn't require authentication or user interaction - just a component mounted and configured in a particular way.
This vulnerability affects all Livewire v3 versions up to 3.6.3. If you're running any version in that range, attackers could potentially run arbitrary PHP code on your server. Stephan warns us the open-source nature of the fix means attackers may already be reverse-engineering the patch to identify and abuse the exploit.
Many production apps are probably running vulnerable versions right now, with their developers completely unaware. This is where automated security monitoring becomes invaluable - using Laravel Health to check for vulnerabilities, and optionally services like Oh Dear to send you notifications when issues are detected.
A package to handle one-time passwords (OTP) in Laravel apps original
Our new package gives you everything you need to build a secure one-time password auth flow.
Read more [spatie.be]
A package to handle passkeys in Laravel original
I’m proud to announce that we’ve released a new package called spatie/laravel-passkeys that makes adding passkeys to a Laravel app as easy as it can be.
Read more [spatie.be]
A Sneaky Phish Just Grabbed my Mailchimp Mailing List
Troy Hunt recently becaming the victim of phising. This proves yet again, that this can happen to anyone, not only non-technical people.
Read more [www.troyhunt.com]
Goodbye reCAPTCHA, hello Turnstile
We've been using this solution in our projects as well.
Read more [darkghosthunter.medium.com]
🚀 Laravel CSP v3 has been released, now supports presets
We just tagged & released a new major version of spatie/laravel-csp, a package to manage your Laravel app's content security policy. The development goal for version 3 was to reduce the boilerplate of configuring a policy for common services like Google Tag Manager, Fathom Analytics, Adobe Fonts…
Read more [spatie.be]
Introducing laravel-tfa-confirmation
– stefanzweifel.dev - submitted by Stefan Zweifel
A new Laravel package to protect sensitive routes or actions with a confirmation-screen and ask for the two-factor authentication code of a user.
Read more [stefanzweifel.dev]
Supercharging Rate Limiting with Cloudflare
By implementing rate limiting at the edge, “dead requests” can be reduced.
Read more [james.brooks.page]
Don't hardcode admin domains for auth
Stephen Rees-Carter tells how hardcoding admin domains in code can lead to security vulnerabilities
Read more [securinglaravel.com]
Using 1password for Laravel environment variables
Here's how we handle secrets at Flare
Read more [flareapp.io]
Livewire Strict: Enforce additional security measures to Livewire
– wire-elements.dev - submitted by Philo
Livewire Strict helps enforce security measures and prevents you from having unprotected sensitive public properties.
Read more [wire-elements.dev]
Encrypting Queued Jobs, Notifications, Mail, and Listeners in Laravel
– ashallendesign.co.uk - submitted by Ash Allen
Read about how to encrypt queued jobs, notifications, mailables, and listeners in Laravel for improved security.
Read more [ashallendesign.co.uk]
Protecting your email address via SVG instead of JS
A nice technique to prevent simple bots from harvesting your email address.
Read more [rouninmedia.github.io]
How we stopped a DDoS attack at Laracon
– flareapp.io - submitted by Spatie
Discover how we stopped a DDoS attack at Laracon!
Read more [flareapp.io]
Automatically Hash Laravel Model Values Using the "Hashed" Cast
– ashallendesign.co.uk - submitted by Ash Allen
Learn how to automatically hash sensitive data (such as passwords) using the "hashed" model cast in Laravel. This article also covers how to test your field is being hashed correctly.
Read more [ashallendesign.co.uk]
Making sure Laravel's debug mode is always disabled in production original
Recently, people started talking about a malware called “Androxgh0st” specifically targeting Laravel apps. In a recent edition of Securing Laravel, Stephen Rees-Carter wrote a good explanation of how it works. The malware targets apps with APP_DEBUG set to true. When enabled, Laravel will give…
Read more [ohdear.app]
Managing production environment variables for Laravel deployments
Here's how we handle our production secrets at Flare.
Read more [flareapp.io]
