End-to-End Encryption in the Browser
A nice explanation of the window.crypto functions that are available in all major browsers.
Read more [blog.excalidraw.com]
How CSRF protection, CORS and authentication work in Laravel
Mohammed Said tweeted out a couple of very interesting videos on some of Laravel's security related features.
Join 9,500+ smart developers
Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.
No spam. Unsubscribe anytime. You can also follow me on X.
"If you are one of the *millions* who have downloaded a Spatie package, then you understand the quality that Freek aims for. The newsletter is of the same quality of any Spatie package you're using."
How we identified clients with SSL certificates affected by Let's Encrypt mass-revocation
On the Oh Dear blog, Mattias Geniar shares how he found all certificates that were affected by Let's Encrypt mass revocation of SSL certificates.
Read more [ohdear.app]
Making password managers play ball with your login form
Here's how to let password managers recognise your login form and let you use their features on your fields.
Read more [hiddedevries.nl]
How tracking pixels work
– jvns.ca
Julia Evans explains how parties like Facebook can follow you around the web.
In this post we’ll experiment a bit and see exactly how Facebook can know what products you’ve looked at online! I’m using Facebook as an example in this blog post just because it’s easy to find websites with Facebook tracking pixels on them but of course almost every internet advertising company does this kind of tracking.
Read more [jvns.ca]
There’s more than one way to write an IP address
Mattias Geniar explains all the ways an IP address can be written.
Most of us write our IP addresses the way we've been taught, a long time ago: 127.0.0.1, 10.0.2.1, ... but that gets boring after a while, doesn't it. Luckily, there's a couple of ways to write an IP address, so you can mess with coworkers, clients or use it as a security measure to bypass certain (input) filters.
Read more [ma.ttias.be]
Disguise PHAR packages as images
Scary stuff.
US BlackHat 2018 proved that is possible to obtain RCE from a PHAR package, moreover, by tweaking its binary content, it's possible to disguise it as a full valid image, bypassing security checks.
Read more [www.nc-lp.com]
Creating encrypted backups of Laravel apps
Simon Kollross explains how to use our laravel-backup package to create an encrypted backup of your Laravel based app.
You should always encrypt backups of your apps and securely transfer them to one or multiple backup destinations. If you encrypt the backups on your server and transfer only the encrypted version, your backups are stored encrypted at rest in your backup destination. Not even your backup storage provider is able to read them.
Read more [simonkollross.de]
Improved security with HSTS
In a new post at the Oh Dear blog, there's a good explanation how HSTS improves security.
HSTS stands for HTTP Strict Transport Security. It's a mechanisme that allows a website to signal that it should only be reached via HTTPS - the encrypted HTTP - instead of the plain text HyperText Transfer Protocol.
Read more [ohdear.app]
This PDF contains JavaScript
Here's a PDF, made by Ryan Grove, that executes JavaScript when you open it in Chrome.
Read more [rawgit.com]
When to use Gate::after in Laravel original
In a Laravel app policies are a great way to organize authorization logic that revolves around models.
For the longest time, I've been using Gate::before to allow superadmins to do anything they want. While working on a new app, it finally clicked how Gate::after can be useful too. I'd like to share that knowledge in this blog post.
Unsafe SQL functions in Laravel
My colleague Brent offers some more details on the intricacies of Laravel's query builder.
I recently learned that not all query builder functionality in Laravel is "safe". This means that user input shouldn't be passed directly to it, as it might expose your application to SQL injection vulnerabilities.
Read more [stitcher.io]
An important security release for laravel-query-builder original
Our laravel-query-builder package exposed a serious security issue: it allowed SQL injection attacks. Laravel Query Builder v1.17.1, which is now available, fixes the vulnerability. If you're using the package, stop reading now and upgrade to the latest version first. For Laravel 5.6, 5.7 and 5.8…
The end of Extended Validation certificates
Mattias Geniar argues that you shouldn't buy extended validation certificates.
You know those certificates you paid 5x more for than a normal one? The ones that are supposed to give you a green address bar with your company name imprinted on it? It's been mentioned before, but my take is the same: they're dead.
Read more [ma.ttias.be]
How PHP Environment Variables Actually work
Matt Allan took a deep dive learning about environment variables.
Laravel, Symfony, and other modern PHP frameworks use environment variables to store security credentials and configuration that changes from one machine to the next. ... Let’s break down what environment variables are, how they work, and how to correctly use them in your code.
Read more [mattallan.me]
These cookie warning shenanigans have got to stop
I fully agree with Troy Hunt here.
So in summary, everyone clicks through cookie warnings anyway, if you read them you either can't understand what they're saying or the configuration of privacy settings is a nightmare, depending on where you are in the world you either don't get privacy or you don't get UX hell, if you understand the privacy risks then it's easy to open links incognito or use an ad blocker, you can still be tracked anyway and finally, the whole thing is just conditioning people to make bad security choices.
Read more [www.troyhunt.com]
Easily share your public key stored on GitHub
Here’s another: see the public keys of a github user by adding ‘.keys’ to their profile URL:
— Bramus! (@bramus) January 23, 2019
? https://t.co/GaHnUISqM1
? https://t.co/zIeqVbxQbE
Read more [twitter.com]
Preventing spam submitted through forms original
When adding a form to a public site, there's a risk that spam bots will try to submit it with fake values. We recently released a new package, called laravel-honeypot, that can detect these spammy requests. How honeypots work The majority of spam bots are pretty dumb. You can thwart most of them by…
Implementing the change-password-url spec in Laravel
Implementing the change-password-url spec in Laravel (aka: it's really dead simple) https://t.co/ow1PNMqecy pic.twitter.com/kTJK6Jq5rn
— /dev/eloper (@mattiasgeniar) December 7, 2018
Read more [twitter.com]
Fixing Imagick's “not authorized” exception
The last couple of weeks soem strange Imagick errors popped up across all our servers. In a new blogpost my colleague Alex explains the cause and the fix.
Over the last few days we've had a couple of issues with Imagick and processing PDFs on our servers. As it turns out, these issues are caused by automatic security updates. Let's look into the issue and its solution.
Read more [alexvanderbist.com]
