Stephen Rees-Carter

As Laravel's friendly hacker, I feel it is my duty to inform everyone that Laravel v11 is no longer supported! 😱

❌ Bug fixes (they stopped 6 months ago)
❌ Security fixes (they stop today!)

Have you upgraded yet?

https://laravel.com/docs/releases#support-policy #Laravel

Without an `exp` claim, a JWT can remain valid forever, turning a leaked token into permanent access.

https://securinglaravel.com/security-tip-your-jwt-might-be-a-forever-key/ #Laravel

Rather than checking for essential config when it's used, throw the checks in your Service Provider - you'll know about configuration failures before your users get a weird error.

https://securinglaravel.com/security-tip-validate-config-at-boot/ #Laravel

You can't trust an email address you haven't verified, so why are you storing them in your database?

https://securinglaravel.com/in-depth-email-verification-isnt-as-simple-as-you-think/ #Laravel

routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?

https://securinglaravel.com/security-tip-consider-all-routes-not-just-web/

I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...

https://securinglaravel.com/security-tip-update-your-packages-yes-this-again

It's been 4 months, a lot has happened, but I'm finally back to writing securinglaravel.com!

New Security Tip coming out in a few hours...

Exhausted after #LaraconAU last week, but excited by how it all went!

I was so proud of everyone in my workshop on Wednesday - everyone had a go, and the excitement in the room as they hacked through challenges made it all worth it.

And my talk on Friday was the most absurd and crazy thing I've done on stage (which is saying something), and I've had some great feedback that's already made it worth it. No idea what I'll do next year...

Haven't bought tickets to my Pre-Laracon AU Security Workshop yet?! 😲

I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. ⌛

This is your final warning... ⏰
https://events.humanitix.com/lets-hack-pre-laracon-security-workshop

#Laravel #LaraconAU

"Let's Hack!", my Pre-Laracon Security Workshop is just FIVE weeks away! 🎉
(So is @LaraconAU... but let's be honest, priorities.)

Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 https://events.humanitix.com/lets-hack-pre-laracon-security-workshop

If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands? 🤔

https://securinglaravel.com/security-tip-how-should-apis-respond-to-http/ #Laravel

Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?

https://securinglaravel.com/security-tip-what-is-an-httponly-cookie/ #Laravel

Laravel Security Tip: Do You Have a Permissions Policy?

What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?

https://securinglaravel.com/security-tip-do-you-have-a-permissions-policy/
#Laravel

Do you reset your 2FA secret keys when a user toggles TOTP off/on?

It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱

https://securinglaravel.com/security-tip-dont-forget-to-regenerate-2fa-secret-keys/ #Laravel