Developers can now instruct browsers to control whether cookies are sent along with the request initiated by third party websites - by using the SameSite cookie attribute, which is a more practical solution than denying the sending of cookies.
Read more [www.netsparker.com]
Jake Bathman, developer at Tigthen Co, wrote a new blogpost explaining what Laravel's APP_KEY environment variable is used for.
In this post, we'll talk about what APP_KEY does and doesn't do, some common misconceptions about its relationship to user password hashing, and the simple steps to changing your APP_KEY safely without losing access to your data.
Read more [tighten.co]
Join 9,500+ smart developers
Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.
No spam. Unsubscribe anytime. You can also follow me on X.
"As a Laravel developer, this is the one newsletter I most look forward to. Freek has a talent for distilling packages or techniques down to something immediately useful - one tip can save you hours and even weeks. It's concise and practical and highly relevant."
In a new blogpost Troy Hunt explains why you shouldn't bother buying an EV certificate anymore.
That's it - I'm calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from "barely there" to "as good as non-existent". This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS
Read more [www.troyhunt.com]
Following is a list of the world's top 100 websites by Alexa rank not automatically redirecting insecure requests to secure ones. You'll then find the top 50 sites by country underneath that. The data is driven by Scott Helme's nightly crawl and is explained in detail in the launch blog post for this project.
https://whynohttps.com/
Scott Helme, creator of both securityheaders.com and report-uri.com introduces a header to enable or disable certain APIs on a webpage.
Feature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Being able to restrict the features your site can use is really nice but being able to restrict features that sites you embed can use is an even better protection to have.
Read more [scotthelme.co.uk]
Recently Taylor Otwell held a blogging competition. Entries could be submitted on a GitHub repo, the post with the highest amount of ? would win. My colleague Alex wrote a blogpost on how you could easily win the competition by hacking a bit. It's pretty awesome that Alex, without using any of the hacks described in the post, wound up winning the competition.
I feel like programmers are often as good at breaking things as they are at fixing things. Part of the thought process of programming anything new is figuring out its flaws, weaknesses and possible exploitations. As a web developer, I often find myself applying the same thought process to everything I see and read about online. Including Laravel's May Mayhem blog contest.
Read more [alexvanderbist.com]
Scott Helme, creator of securityheaders.io, wrote a good introduction to certificate transparency.
Certificate Transparency is an open framework for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. By requiring a CA to log all certificates they generate, site owners can quickly identify mis-issued certificates and it becomes much easier to detect a rogue CA.
https://scotthelme.co.uk/certificate-transparency-an-introduction/
Oh Dear!, my side project leverages certificate transparency logs to send you a notification as soon as a new certificate is issued for your domain.
For years I've used Google's public DNS service. It's famous IP address is 8.8.8.8. It's a resolves addresses faster that my internet provider.
Yesterday Cloudflare launched their DNS service which promises to be faster and better for your privacy. It has an awesome IP address: 1.1.1.1. Here are some benchmarks.
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads. We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1
The announcement: https://blog.cloudflare.com/announcing-1111/
More info + how to set it up on your device: https://1.1.1.1/
By default all scripts on a webpage are allowed to send and fetch data from and to any site they want. If you think about it, that's kinda scary. Imagine that one of your JavaScript dependencies would send all keystrokes, including passwords, to a third party website. That would be pretty bad. In…
Almost a year ago, Scott Helme, creator of securityheaders.io and report-uri.com, wrote a blogpost on a not well known http header: Referrer-Policy.
Regular readers will know how fond I am of the existing security headers so it's great to hear that we're getting another! Referrer Policy will allow a site to control the value of the referer header in links away from their pages.
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
In a new article on his blog Ian Carroll shows that it's quite easy to trick users into thinking that they're connected to the right site.
Extended validation ("EV") certificates are a unique type of certificate issued by certificate authorities after more extensive validation of the entity requesting the certificate. In exchange for this more rigorous vetting, browsers show a special indicator like a green bar containing the company name, or in the case of Safari completely replace the URL with the company name. ... Today, I will demonstrate another issue with EV certificates: colliding entity names. Specifically, this site uses an EV certificate for "Stripe, Inc", that was legitimately issued by Comodo.
https://stripe.ian.sh/
Recently we released laravel-cors. This package can add the necessary CORS headers of your Laravel app. In this post I'd like to give a quick explanation of what CORS is and how you can use the package. What is CORS Imagine that all JavaScript code for domain X running in a browser would be able to…
In an article at Hackernoon, David Gilbertson warns about the dangers of trusting 3rd party packages on npm. He goes into how a package can make unwanted http requests in the browser and how you can protect yourself against that.
It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability. It’s been a real struggle for me personally to pretend like I understand what’s going on when asked about it by family members.
Seeing people close to me get all flustered at the prospect of being “powned” has really put things in perspective for me.
So, it is with a heavy heart that I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
Aaron Saray recently found some rogue code on a hacked website and investigated what it actually does.
It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.
This obfuscated code is doing something bad, but we don’t know what at first glance. Obviously, the solution is to remove it - but - aren’t you a little curious what it was doing? Let’s take a look.
iTerm2, a populair terminal app, contained a very bad security issue. Everything you hover over was being checked if it was a clickable url. To determine if it's a valid url, the hovered over string was being checked against DNS server. So if you hover over a password, or a secret key or whatever it sent out to the internet. Obviously this is a big problem. It's fixed in the latest version. So if you use iTerm2 and haven't updated it recently, be sure to do it now! The problem is fixed in version 3.1.1.
iTerm2's leak issue was first discovered ten months ago. iTerm2's creator initially reacted by adding an option to iTerm 3.0.13 that allowed users to disable DNS lookups. The feature remained turned on by default for new and existing installations.Dutch developer Peter van Dijk, software engineer for PowerDNS, a supplier of open-source DNS software and DNS management service, re-reported this feature and this time around, he pointed out some of the severe privacy leaks not included in the first bug report.
"iTerm sent various things (including passwords) in plain text to my ISP's DNS server," van Dijk wrote flabbergasted in a bug report he filed earlier today.
This time around, George Nachman, iTerm2's maintainer, understood the severity of the issue right away and released iTerm2 3.1.1 to fix the problem within hours. He also apologized for enabling this feature by default without analyzing possible consequences in more depth.
The HTTP specification says that status codes should be three digits integers, but what happens if they are not? April King, head of website security at Mozilla, did some fun experiments to find out.
While it is easy to create test cases for conditions that don't satisfy this requirement, it is somewhat more difficult to determine how third-party libraries will handle HTTP requests that fall outside this constraint. I looked around the internet for websites to help me test weird status codes, but most of them only let me test with the known status codes. As such, I decided to add arbitrary HTTP status codes to my naughty httpbin fork, called misbehaving.site.What I discovered is that the various browser manufacturers have wildly different behavior with how they handle unknown HTTP status codes.
PHP 7.2 is just around the corner. In new blogpost Martin Hujer walks us through the changes.
PHP 7.2 is planned to be released on 30th November 2017 (see the timetable). And it comes with two new security features in the core, several smaller improvements and some language legacy clean-ups. In the article, I will describe what the improvements and changes are. I read the RFCs, discussions on internals and PRs on Github, so you don't have to.
https://blog.martinhujer.cz/php-7-2-is-due-in-november-whats-new/
If you need a free SSL certificate Let's Encrypt seems like the obvious way to go. But the installation and renewal process of Let's Encrypt surely has it's caveats. An alternative to Let's Encrypt is to use a free certificate issued by Cloudflare. On his blog Taylor Otwell published a post explaining how to request and install such a certificate.
I personally prefer to use Cloudflare, another service that offers free SSL certificates, as well as a variety of other free and paid services that are useful for web developers. I prefer Cloudflare because: - Cloudflare doesn’t require any renewal process to ever run on my server. LetsEncrypt renewals must run on my server at least every 3 months and that’s just one more thing that sometimes can (and does) go wrong. - Cloudflare supports wildcard sub-domains.
https://medium.com/@taylorotwell/free-wildcard-ssl-using-forge-cloudflare-ab0ebfbf129f
Scott Arciszewski debunks the commonly given advice on securing your PHP installation by setting some php.ini values.
There have been countless examples posted in various places (Reddit, Hacker News, Twitter, Facebook, Slashdot, and even LinkedIn group discussions), and while a handful occasionally contain one or two tips that might be beneficial towards securing your PHP applications, almost all of the advice they contain is either wrong, a huge waste of time, downright silly, or all of above.As part of a team that specializes in application security (in particular: securing PHP applications), I feel it's high time someone cleared the air about this advice.
https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful
In a post on Sitepoint Christopher Pitt demonstrates some cool usages of eval and exec.
I want to look at two PHP functions: eval and exec. They’re so often thrown under the sensible-developers-never-use-these bus that I sometimes wonder how many awesome applications we miss out on.Like every other function in the standard library, these have their uses. They can be abused. Their danger lies in the amount of flexibility and power they offer even the most novice of developers.
Let me show you some of the ways I’ve seen these used, and then we can talk about safety precautions and moderation.
