websec.io is dedicated to educating developers about security with topics relating to general security fundamentals, emerging technologies and PHP-specific information.
If there's a topic you don't see here and would like to read about (or would like to write an article) let us know!
Looking for more information about securing PHP-based applications? Check out the Securing PHP ebooks:
Input Filtering & Validation with Aura.Filter
The Aura.Filter component provides effective and easy to use data filtering & validation features.
#validation #library #filter #aura #framework
Iniscan - A Security Best Practices php.ini Scanner
Securing your configuration is important - let this tool help
#phpini #scanner #iniscan #opensource
Security Standards: XACML - Extensible Access Control Markup Language
The XACML standard from OASIS provides an attribute-based authentication structure.
#standards #xacml #accesscontrol #markup
API Authentication: HMAC with Public/Private Hashes
Implementing a public/private HMAC hashing layer to your API helps authenticate and validate the request.
#api #authentication #publichash #privatehash #hmac
Google's Two-Factor Auth - Online or Offline
The Google Authenticator smartphone application makes two-factor auth simple, even without a connection.
#twofactor #authentication #google #authenticator
Two-Factor Auth Integration with Duo Security
Using the Duo Security API you can manage multiple users and integrations, all through a REST interface
#twofactor #authentication #duosecurity #api #webservice
Easy Two-Factor Authentication with Authy
Using the Authy REST API, you can quickly and easily integrate two-factor auth into your system.
#twofactor #authentication #authy #api #webservice
Tools of the Trade: WebGoat & DVWA
Learn about the WebGoat and Damn Vulnerable Web Application tools to practice your testing skills.
Dirty Data: Protecting Your App from Your Users
All user data is tainted, but how to you effectively deal with it? Read on...
Encrypted Sessions with PHP
Use a simple custom session handler in PHP to protect your session data on the server.
A Silent Threat - PHP in EXIF
TCrypto: Encrypted data storage for PHP applications
Learn how to use the TCrypto library to protect your data.
Preventing XXE in PHP
XML External Entity attacks are a lesser-known threat, learn how to protect your PHP application.
Shared Hosting: PHP Session Security
A few things to think about when using PHP sessions, especially on a shared server.
Effective File Upload Handling Tips
Handling user input can be tricky, file uploads even more so - here's some do's, don't and musts.
OWASP Top Ten: Broken Authentication and Session Management
A look at one of the "Top 10" from the OWASP largest vulnerabilities list
#owasp #session #authentication
Casting Your Net: Securing Your Site with Skipfish
See how to use this simple tool to help find flaws in your applications.
Protect Yourself with the Google Safe Browsing API
Google offers an API that tells you if a site is "safe". Read on to learn how to use it.
Playing Your Cards Close - Custom Error & Exception Handling
Default PHP error handling shares way too much information - learn how to use custom handlers to prevent it.
Stay Safe in Your Php.ini
The default settings in PHP's configuration aren't all secure, here's a few you should change.
Can't Trust the $_SERVER
PHP's $_SERVER suportglobal contains some values that come from the user - be careful what you use!