@valorin.bsky.social
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.π΅οΈ I write securinglaravel.com and hack stuff on stage for fun. π I'm found elsewhere too: https://pinkary.com/@valorin πͺ
Without an `exp` claim, a JWT can remain valid forever, turning a leaked token into permanent access.
securinglaravel.com/security-tip... #Laravel
Rather than checking for essential config when it's used, throw the checks in your Service Provider - you'll know about configuration failures before your users get a weird error.
securinglaravel.com/security-tip... #Laravel
PSA for @statamic.com folks - update your sites ASAP! β οΈ
A CRITICAL vuln was discovered that allows full account takeover via password resets! π±
All the details: cvereports.com/reports/CVE-...
I am determined to get back to @laravellive.dk this year, so if you have a dev team or a meetup in EU or UK and want me to run a workshop or give a talk in August, let me know!
Yes, I love the Bridgerton soundtracks! They have a good mix of high energy and consistent rhythm that helps me concentrate.
I'm almost always listening to some soundtrack when working, today is BSG.
That adds a whole new level of pain, good luck! π€
You can't trust an email address you haven't verified, so why are you storing them in your database?
securinglaravel.com/in-depth-ema... #Laravel
routes/web.php is boring and reliable, and routes/api.php is fancy, but have you forgotten one?
securinglaravel.com/security-tip...
I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...
securinglaravel.com/security-tip...
It's been 4 months, a lot has happened, but I'm finally back to writing securinglaravel.com!
New Security Tip coming out in a few hours...
And my talk on Friday was the most absurd and crazy thing I've done on stage (which is saying something), and I've had some great feedback that's already made it worth it. No idea what I'll do next year...
Exhausted after #LaraconAU last week, but excited by how it all went!
I was so proud of everyone in my workshop on Wednesday - everyone had a go, and the excitement in the room as they hacked through challenges made it all worth it.
Haven't bought tickets to my Pre-@laracon.au Security Workshop yet?! π²
I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. β
This is your final warning... β°
events.humanitix.com/lets-hack-pr...
"Let's Hack!", my Pre-Laracon Security Workshop is just FIVE weeks away! π
(So is @laracon.au... but let's be honest, priorities.)
Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
π events.humanitix.com/lets-hack-pr...
Good point! I completely forgot about this option. π€¦
I've updated the article to reflect this.
If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands? π€
securinglaravel.com/security-tip... #Laravel
Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?
securinglaravel.com/security-tip... #Laravel
I was wondering if anyone would get the reference! π
I haven't seen it in a long time, the Ο is the only thing I remember. Not sure how I'll fit impossible IP addresses into my talk...
Exactly. π
Maybe next time I'll do my Ethics talk, that'd make for some fun irony. π
Clearly I'm being framed here!
Would I do something like that?
We'll never know how @valorin.bsky.social keeps getting invited back to speak at @laracon.au but we do know that he always puts on a heck of a talk when he does!
Learn how to defend your Hornburg on November 13-14!
Grab your ticket before 29 Sept to get a π in your size π laracon.au/tickets
Security advocate and friendly hacker @valorin.bsky.social keeps finding his way back into the #LaraconAU lineup.
Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)
Laravel Security Tip: Do You Have a Permissions Policy?
What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com/security-tip...
#Laravel
Do you reset your 2FA secret keys when a user toggles TOTP off/on?
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! π±
securinglaravel.com/security-tip... #Laravel
It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! π±
Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!
securinglaravel.com/security-tip...
#Laravel
You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:
/.well-known/change-password
It should redirect to your change password form, so password managers can easily send users there.
securinglaravel.com/security-tip... #Laravel
Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! π
securinglaravel.com/security-tip... #Laravel
Sometimes when I sit down to write a Security Tip it comes together so quickly that I'm surprised I hadn't written it sooner. π€
The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! π
Agreed!
It's the switching of defaults that annoys me the most. There is nothing wrong with MRU, but don't switch my defaults! Add the option and let me enable it.