Stephen Rees-Carter

CVE-2026-27593 - GitHub Advisory Database Statamic is vulnerable to account takeover via password reset link injection

PSA for @statamic.com folks - update your sites ASAP! ⚠️

A CRITICAL vuln was discovered that allows full account takeover via password resets! 😱

All the details: cvereports.com/reports/CVE-...

I am determined to get back to @laravellive.dk this year, so if you have a dev team or a meetup in EU or UK and want me to run a workshop or give a talk in August, let me know!

Yes, I love the Bridgerton soundtracks! They have a good mix of high energy and consistent rhythm that helps me concentrate.

I'm almost always listening to some soundtrack when working, today is BSG.

That adds a whole new level of pain, good luck! 🤞

In Depth: Email Verification Isn't as Simple as You Think [In Depth #38] You can't trust an email address you haven't verified, so why are you storing them in your database?

You can't trust an email address you haven't verified, so why are you storing them in your database?

securinglaravel.com/in-depth-ema... #Laravel

Security Tip: Consider All Routes, Not Just Web! [Tip #125] routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?

routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?

securinglaravel.com/security-tip...

I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...

securinglaravel.com/security-tip...

Securing Laravel The essential security resource for Laravel developers.

It's been 4 months, a lot has happened, but I'm finally back to writing securinglaravel.com!

New Security Tip coming out in a few hours...

And my talk on Friday was the most absurd and crazy thing I've done on stage (which is saying something), and I've had some great feedback that's already made it worth it. No idea what I'll do next year...

Exhausted after #LaraconAU last week, but excited by how it all went!

I was so proud of everyone in my workshop on Wednesday - everyone had a go, and the excitement in the room as they hacked through challenges made it all worth it.

Haven't bought tickets to my Pre-@laracon.au Security Workshop yet?! 😲

I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. ⌛

This is your final warning... ⏰
events.humanitix.com/lets-hack-pr...

"Let's Hack!", my Pre-Laracon Security Workshop is just FIVE weeks away! 🎉
(So is @laracon.au... but let's be honest, priorities.)

Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 events.humanitix.com/lets-hack-pr...

Good point! I completely forgot about this option. 🤦

I've updated the article to reflect this.

Security Tip: How Should APIs Respond to HTTP? [Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?

If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands? 🤔

securinglaravel.com/security-tip... #Laravel

Security Tip: What Is An HttpOnly Cookie? [Tip #86] Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?

Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?

securinglaravel.com/security-tip... #Laravel

I was wondering if anyone would get the reference! 🎉

I haven't seen it in a long time, the π is the only thing I remember. Not sure how I'll fit impossible IP addresses into my talk...

Exactly. 😎

Maybe next time I'll do my Ethics talk, that'd make for some fun irony. 😈

Clearly I'm being framed here!

Would I do something like that?

We'll never know how @valorin.bsky.social keeps getting invited back to speak at @laracon.au but we do know that he always puts on a heck of a talk when he does!

Learn how to defend your Hornburg on November 13-14!

Grab your ticket before 29 Sept to get a 👕 in your size 👉 laracon.au/tickets

Security advocate and friendly hacker @valorin.bsky.social keeps finding his way back into the #LaraconAU lineup.

Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)

Security Tip: Do You Have a Permissions Policy? [Tip #85] What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?

Laravel Security Tip: Do You Have a Permissions Policy?

What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?

securinglaravel.com/security-tip...
#Laravel

Security Tip: Don't Forget to Regenerate 2FA Secret Keys! It's not just passwords you need to worry about when it comes to authentication and stolen credentials: your 2FA secret keys may also be at risk!

Do you reset your 2FA secret keys when a user toggles TOTP off/on?

It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱

securinglaravel.com/security-tip... #Laravel

Security Tip: Prohibiting Destructive Commands on Production [Tip #83] It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱

It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱

Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!

securinglaravel.com/security-tip...
#Laravel

Security Tip: A Well-Known URL for Changing Passwords [Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!

You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:

/.well-known/change-password

It should redirect to your change password form, so password managers can easily send users there.

securinglaravel.com/security-tip... #Laravel

Security Tip: Bypassing Content-Security-Policy with <base>! [Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈

Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈

securinglaravel.com/security-tip... #Laravel

Sometimes when I sit down to write a Security Tip it comes together so quickly that I'm surprised I hadn't written it sooner. 🤓

The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! 😈

Agreed!

It's the switching of defaults that annoys me the most. There is nothing wrong with MRU, but don't switch my defaults! Add the option and let me enable it.

So what you're saying is, you've all been off on a long weekend?

Ugh, I hate it when apps switch from Next/Previous Tab switching to Most Recently Used (MRU) switching with Ctrl+Tab! MRU is only logical when you can't see the other tabs, otherwise it's a UX disconnect between display and keyboard. 😒

Looking at you Telegram! 😡