@valorin
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️ I write Securing Laravel and hack stuff on stage for fun. 😈 (he/him)
• • 123 Posts • 8K Views
Just a friendly reminder that I also offer budget-friendly Laravel Security Reviews: stephenreescarter.net/laravel-security-reviews
If your app hasn't had a pentest before, a Security Review is a great way to check for any vulnerabilities before someone less friendly finds them. 🕵️
Stephen I would like your opinion on the security of plain text creds on an the .env file. Even when you use a key vault to store credentials instead of the .env when the configuration gets cached those credentials will be stored on /boostrap/cache/config
Answered this one on Twitter, but so it's here too:
I don't have any problems with creds stored in the .env file. The nature of PHP means you don't really have any other choice anyway (as you pointed out), and if someone can read that file, they've already got too much access to your server.
You're adding needless complexity by trying to protect them elsewhere. And so many people waste time on methods to commit or manage creds locally, which I think introduces actual risks.
Instead, keep them only on prod and don't store them anywhere else.
Follow up:
"Absolutely agree with the complexity. I am trying to figure out a balanced approached for clients bothering me about creds being on the .env"
Massively over-quote the work involved in moving to a different solution? 🤣
That's a tough one. It's such a common recommendation, but in my professional opinion, it's complete rubbish. You're much better off focusing on securing the server itself than wasting time with creds.
Kids go back to school tomorrow, which means (in theory), I'll be able to inject some quality distract-free hours onto my course. 🤞
I was hoping to have the Authentication module out last week, but setting up a safe challenge for credential stuffing proved difficult.
XSS doesn't just hide in <script> tags - it sneaks in through HTML attributes, links, and even inline styles! Don't rely on functions like strip_tags() to keep you safe...
securinglaravel.com/security-tip-strip_tags-wont-save-you-from-xss
w00t! My @LaraconAU talk is online!
I'm super proud of how this one turned out, given it started as a "vulnerabilities I'm sick of seeing everywhere" rant!
laracon.au/talks/stephen-rees-carter
Here's my Summary slide for those who wanted a copy (plus the QR code to all my links). 😁
Thanks for laughing at all of my terrible jokes, and for putting up with my obsessing over the word "intentional" on stage. 🤣
Thanks for having me, #LaraconAU!
