Our Mission

websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information.

If there's a topic you don't see here and would like to read about (or would like to write an article) let us know!


Looking for more information about securing PHP-based applications? Check out the Securing PHP ebooks:



Latest Articles


   Fun with Input Handling: Regex, Logs & Serializing
Validating input isn't just about values, it's about context too.
by Chris Cornutt #input #validation #handling #regex #logs #serialize

   Versioning Data Validation
Input validation is a must for any application but changing rules can make it tricky.
by Chris Cornutt #version #validation #data

   Input Filtering & Validation with Aura.Filter
The Aura.Filter component provides effective and easy to use data filtering & validation features.
by Chris Cornutt #validation #library #filter #aura #framework

   Iniscan - A Security Best Practices php.ini Scanner
Securing your configuration is important - let this tool help
by Chris Cornutt #phpini #scanner #iniscan #opensource

   Core Concepts: Access Control (A Primer)
Good access control systems (and its management) are key to an application's security.
by Chris Cornutt #access #control #coreconcepts

   Implementing Custom Two-Factor Auth (with Twilio)
Implement your own SMS-based two-factor authentication via the Twilio API.
by Chris Cornutt #twofactor #custom #twilio

   Two-Factor with a Wave - Using Clef
The Clef service provides an interactive, easy to implement two-factor solution.
by Chris Cornutt #twofactor #clef #wave

   Core Concepts: Trust Boundaries
Trust boundaries are the gatekeepers for data in your applications.
by Chris Cornutt #coreconcepts #threat #boundary

   Security Standards: XACML - Extensible Access Control Markup Language
The XACML standard from OASIS provides an attribute-based authentication structure.
by Chris Cornutt #standards #xacml #accesscontrol #markup

   The Plight of the Password
Passwords must die, find out how to help that along in your own applications.
by Chris Cornutt #password #twofactor #federated #identity

   Effective Security Logging with Monolog
Logging is a tricky subject - what to log, when to log and what tools to use.
by Chris Cornutt #logging #monolog #audit

   The Secure Development Lifecycle
Learn about Microsoft's industry standard secure development practices.
by Chris Cornutt #secure #development #lifecycle #microsoft

   Effective Validation with Respect
The Respect Validation library helps validate and protect from bad user data.
by Chris Cornutt #validation #library #respect #filter

   DREADing Your Security
Using the DREAD threat modeling framework you can get a better view of the risk of your application.
by Chris Cornutt #dread #threatmodel #rating #coreconcepts

   Two-Factor the Yubikey Way
The Yubikey USB hardware token makes two-factor authentication as easy as pushing a button.
by Chris Cornutt #twofactor #yubikey #api

   Safety in PHP Dependencies with Composer
Composer providies easy package management for PHP developers, but be careful with what you use.
by Chris Cornutt #composer #packagist #thirdparty #library #module

   API Authentication: HMAC with Public/Private Hashes
Implementing a public/private HMAC hashing layer to your API helps authenticate and validate the request.
by Chris Cornutt #api #authentication #publichash #privatehash #hmac

   Beware the Mass Assignment
Mass assignment vulnerabilities can be a hard-to-find issue in your applications. Learn how to prevent them.
by Chris Cornutt #vulnerability #massassignment #model

   Core Concepts: Attack Surface
Knowing the exposed points of your application can help heighten your security and defenses.
by Chris Cornutt #coreconcepts #attack #surface

   Password Hashing with Zend\Crypt
The Zend\Crypt component of the Zend Framework makes bcrypting your passwords simple.
by Chris Cornutt #encrption #bcrypt #password #hash

   Google's Two-Factor Auth - Online or Offline
The Google Authenticator smartphone application makes two-factor auth simple, even without a connection.
by Chris Cornutt #twofactor #authentication #google #authenticator

   Two-Factor Auth Integration with Duo Security
Using the Duo Security API you can manage multiple users and integrations, all through a REST interface
by Chris Cornutt #twofactor #authentication #duosecurity #api #webservice

   Easy Two-Factor Authentication with Authy
Using the Authy REST API, you can quickly and easily integrate two-factor auth into your system.
by Chris Cornutt #twofactor #authentication #authy #api #webservice

   Security in the Round
Keeping the "bigger picture" in mind when assessing the security of your application is vital.
by Chris Cornutt #security #theaterintheround #policy

   SQLi in NoSQL - A Word of Warning
Just because you're using a NoSQL db doesn't mean you're safe from SQL injections.
by Chris Cornutt #sqli #sqlinjection #nosql #mongodb

   Core Concepts: Attack Patterns
Attack patterns provide a common language to refer to threat types and methods of attack.
by Chris Cornutt #attack #pattern #coreconcepts

   STRIDEing for Security
The STRIDE method of threat modeling gives you a simple way to evaluate the possible weak points in your application.
by Chris Cornutt #stride #sdlc #threatmodel

   Code Defensively
Sometimes the best defense is a good offense - "think like an attacker" with these hints to prevent exploits.
by Chris Cornutt #code #bestpractice #tutorial

   The External CSRF Threat & Protecting Your App
Cross-site Request Forgeries are still a common threat. Learn how to protect your app from this pesky issue.
by Chris Cornutt #csrf #introduction

   Fail Fast Securely
One key to keeping an app secure is the when & how of dealing with failure.
by Chris Cornutt #code #exception #error #tutorial

   Core Concepts: Defense in Depth
Part of the "Core Concepts" series, examines the "Defence in Depth" thought pattern to secure your app.
by Chris Cornutt #coreconcepts #defenseindepth

   An Introduction to Content Security Policy
Learn how to protect your site with a Content Security Policy limiting Javascript, CSS and reporting.
by David Müller #csp #policy #tutorial #introduction

   Using Mozilla Persona with PHP & jQuery
An introduction to this new tool and implementing it with jQuery and a bit of PHP
by Chris Cornutt #mozilla #persona #tutorial #javascript #jquery

   Tools of the Trade: WebGoat & DVWA
Learn about the WebGoat and Damn Vulnerable Web Application tools to practice your testing skills.
by Chris Cornutt

   Dirty Data: Protecting Your App from Your Users
All user data is tainted, but how to you effectively deal with it? Read on...
by Jeremy Cook

   Encrypted Sessions with PHP
Use a simple custom session handler in PHP to protect your session data on the server.
by Chris Cornutt

   A Silent Threat - PHP in EXIF
by Chris Cornutt

   TCrypto: Encrypted data storage for PHP applications
Learn how to use the TCrypto library to protect your data.
by Timo

   Preventing XXE in PHP
XML External Entity attacks are a lesser-known threat, learn how to protect your PHP application.
by Chris Cornutt

   Shared Hosting: PHP Session Security
A few things to think about when using PHP sessions, especially on a shared server.
by Chris Cornutt

   Effective File Upload Handling Tips
Handling user input can be tricky, file uploads even more so - here's some do's, don't and musts.
by Chris Cornutt

   OWASP Top Ten: Broken Authentication and Session Management
A look at one of the "Top 10" from the OWASP largest vulnerabilities list
by Chris Cornutt #owasp #session #authentication

   Casting Your Net: Securing Your Site with Skipfish
See how to use this simple tool to help find flaws in your applications.
by Chris Cornutt

   Protect Yourself with the Google Safe Browsing API
Google offers an API that tells you if a site is "safe". Read on to learn how to use it.
by Chris Cornutt

   Playing Your Cards Close - Custom Error & Exception Handling
Default PHP error handling shares way too much information - learn how to use custom handlers to prevent it.
by Chris Cornutt

   Stay Safe in Your Php.ini
The default settings in PHP's configuration aren't all secure, here's a few you should change.
by Chris Cornutt

   Can't Trust the $_SERVER
PHP's $_SERVER suportglobal contains some values that come from the user - be careful what you use!
by Chris Cornutt

   OWASP Top Ten: Cross-Site Scripting (XSS)
A look at one of the "Top 10" from the OWASP largest vulnerabilities list
by Chris Cornutt #xss #owasp