Every time I have to look up the OWASP Top 10 to check which position something is in, I always feel like a fraud. Surely I should remember this stuff by now, right? 😕
I'm researching for an article about SSRF and I totally forgot it sits at #10. 🤦 🤣
Stephen Rees-Carter
@valorin
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️ I write Securing Laravel and hack stuff on stage for fun. 😈 (he/him)
• • 95 Posts • 6K Views
I've had some really lovely feedback from folks after my 3 years retrospective post on Securing Laravel yesterday. Thank you all so much for the kind words and support, it means so much to be in such a supportive community. 🥰
3 years ago I started a paid newsletter as an experiment, not knowing how much interest there would actually be...
Now after 3 years, 90 Security Tips and 28 In Depth articles (+ a few special features), it's still growing!
Thanks for all the support! 🥰
securinglaravel.com/3-years
Did you know Laravel's URL validator lets you control which protocols you accept?
My recommendation is to require HTTPS-only if possible, or limit it to only HTTP and HTTPS if you don't need special links.
securinglaravel.com/security-tip-validating-secure-urls #Security
As useful as it sounds, nl2br() can potentially leave you open to Cross-Site Scripting (XSS) vulnerabilities... you should reach for CSS instead!
securinglaravel.com/security-tip-dont-use-nl2br #Security