Categories
Development LaraSec Security

Should You Block Compromised Passwords?

This is the thirteenth security tip from Laravel Security in Depth.Subscribe to receive weekly security tips and monthly In Depth emails covering Laravel Security topics. Passwords are the digital keys that keep user accounts safe, but passwords only work when they are secret and unguessable. The classic “fix” is to impose password complexity rules, but […]

Categories
Development LaraSec Security

Selectively Stage and Commit Changes

This is the tenth security tip from Laravel Security in Depth.Subscribe to receive weekly security tips and monthly In Depth emails covering Laravel Security topics. When committing changes into version control, you should always selectively stage your changes first before committing. This allows you to manually review every line of code you commit, to ensure […]

Categories
Development LaraSec Security

Always Pass User Input Through a Validator

This is the seventh security tip from Laravel Security in Depth, which was sent out on November 9th. You can subscribe to receive more tips and monthly In Depth emails covering of Laravel Security. Don’t trust user input. Don’t trust user input. And one more for good measure… Don’t trust user input. You should always […]

Categories
Development LaraSec Security

Why Parameterised Queries Are Important

This is the fourth security tip from my Laravel Security in Depth newsletter, sent out to all subscribers on October 8th. Please subscribe if you’d like these tips delivered weekly. Laravel provides an expressive fluent interface for building database queries, either as raw queries through the query builder or as part of Eloquent (Laravel’s Object-Relational Mapper, ORM). The query builder allows […]

Categories
Security

Introducing Laravel Security in Depth

I started Laravel Security in Depth as a way to share my security knowledge with the Laravel community, and have a lot of fun doing so. My goal is to provide a community for everyone, regardless of their skill level and prior experience in security, where you can learn new things and ask questions, and learn to […]

Categories
Security Development

CSRF Is Dead, Long Live SameSite=Lax! (or is it?)

In the original version my talk “Think Like a Hacker and Secure WordPress, live on stage“, I demonstrated a Cross-Site Request Forgery (CSRF) attack. While this attack worked perfectly during WordCamp Brisbane 2019, in-progress changes to Google Chrome (version 80) are bringing about the end of CSRF. (Well, sort of…) In light of this change, […]

Categories
Development Security Tutorials

Sign Git Commits With A Keybase GPG Key

A relatively unknown and underused feature of Git is the ability to cryptographically sign commits. It is an optional feature that provides a way for the author of a commit to prove ownership. It uses the author’s GPG key to leave a signature in the commit that can be checked later. If you’re a Keybase […]

Categories
Random thoughts

Hello World (again)!

Welcome to my new website. It’s been a long while since I rebuilt my last one (two jobs ago, infact!), so I figured I should launch a new site and get back into the blogging thing. It may surprise some of you, but my site is now running on WordPress again. Yup, WordPress. There are […]