Archive - Securing Laravel

Securing Laravel has moved!

You can find the new site at securinglaravel.com!

May 2, 2024 •

Stephen Rees-Carter

Securing Laravel PSA: Substack -> Ghost Migration is (mostly) Complete! (pt2)

Did you receive the Part 1 email from Ghost?

May 2, 2024 •

Stephen Rees-Carter

April 2024

Securing Laravel PSA: the Substack -> Ghost Migration in Progress

Just a quick note to let you know what to expect.

Apr 30, 2024 •

Stephen Rees-Carter

Security Tip: Laravel 11's Per-Second Rate Limiting

[Tip#78] Up until now, Laravel has only supported rate limiting per-minute, but that didn't work in some scenarios, as a minute is a very long time. To…

Apr 28, 2024 •

Stephen Rees-Carter

Security Tip: Laravel 11's Prompt Validation Rules

[Tip#77] We often talk about validating user input from the browser, but what about user input on the command line? Validation is just as useful there…

Apr 19, 2024 •

Stephen Rees-Carter

Security Tip: Laravel 11's Automatic Password Rehashing

[Tip#76] Let's check out three of the configuration options available as part of Automatic Password Rehashing: custom fields, disabling rehashing, and…

Apr 11, 2024 •

Stephen Rees-Carter

In Depth: Graceful Encryption Key Rotation

[InDepth#25] Laravel makes effective use of encryption for security purposes, but what happens if your encryption key needs to be rotated? Let's see how…

Apr 3, 2024 •

Stephen Rees-Carter

March 2024

Security Tip: Laravel 11's Controller Authorisation & Validation Methods

[Tip#75] As part of the simplification of the app structure in Laravel 11, the Request Authorisation and Validation methods are no longer available on…

Mar 26, 2024 •

Stephen Rees-Carter

Security Tip: Laravel 11's Middleware Configuration

[Tip#74] Laravel 11 shifts the default middleware into the framework itself and exposes configuration through the bootstrap/app.php class.

Mar 18, 2024 •

Stephen Rees-Carter

Security Tip: A Well-Known URL for Changing Passwords

[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware…

Mar 10, 2024 •

Stephen Rees-Carter

In Depth: Registration Without Enumeration!

[InDepth#24] It's time to answer the question: how do you build user registration and authentication without an enumeration vector?

Mar 3, 2024 •

Stephen Rees-Carter

February 2024

Security Tip: Don't Forget Your Registration Form!

[Tip#72] We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form... it can provide attackers…

Feb 23, 2024 •

Stephen Rees-Carter

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts