Building a Secure API - Part 5
Building a Secure API - Part 5

Build out the secure login and request authorization flow in a few final steps

Read more


Api Security Series Part5 Rest Secureapi

 Building a Secure API - Part 4
Building a Secure API - Part 4

Building out the database and models to power the API

Read more


Api Security Series Part4 Rest Secureapi

 Building a Secure API - Part 3
Building a Secure API - Part 3

Improving the Slim structure to make it more extendable

Read more


Api Security Series Part3 Rest Secureapi

 Building a Secure API - Part 2
Building a Secure API - Part 2

Take the first steps into using Slim to create a secure API

Read more


Api Security Series Part2 Rest Secureapi

 Building a Secure API - Part 1
Building a Secure API - Part 1

API security doesn't have to be confusing if you build it in from the start.

Read more


Api Security Series Part1 Rest Secureapi

 Build Security In - Introduction (Part 1)
Build Security In - Introduction (Part 1)

Get started building security into your applications

Read more


Buildsecurityin Introduction Part1 Tutorial

 Securing Legacy Applications - Part 2
Securing Legacy Applications - Part 2

Securing legacy code can be tricky, here's a few more hints

Read more


Secure Legacy Application Series Part2

 Securing Legacy Applications - Part 1
Securing Legacy Applications - Part 1

Securing legacy code can be tricky, here's a few "quick hits" to get you started

Read more


Secure Legacy Application Series Part1

 Defaulting to Secure
Defaulting to Secure

Defaulting to secure settings in your tools helps keep the world a safer place

Read more


Default Secure Settings

 Passwords are Dead, Long Live Passwords
Passwords are Dead, Long Live Passwords

Passwords are a thorn in the security of any application. How can we fix this?

Read more


Password Policy Reuse Storage

 The Importance of Effective Validation
The Importance of Effective Validation

Good validation practices on incoming data can save lots of trouble down the line.

Read more


Input Validation Validate Data

 Risky Business
Risky Business

Proper risk evaluation can minimize the impact an attack can have on your apps.

Read more


Risk Balance Evaluation Threatmodel

 Security Policy Evaluation in Laravel with PropAuth
Security Policy Evaluation in Laravel with PropAuth

Property-based policy evaluation is a more flexible alternative to the usual hard-coded checks

Read more


Policy Authorization Laravel Propauth Property

 Security is for Beginners
Security is for Beginners

Why isn't application security taught as a beginner concept?

Read more


Beginner Introduction Opinion

 Input Validation Strategies - Introduction
Input Validation Strategies - Introduction

Validating input can help prevent most common security issues - let's learn how.

Read more


Input Validation Filtering Injection

 Securing Requests with JWT (JSON Web Tokens)
Securing Requests with JWT (JSON Web Tokens)

JWTs can provide an extra layer of validation and protecton for you requests.

Read more


Jwt Jwe Json Web Token

 "Fun with Input Handling: Regex, Logs & Serializing"
"Fun with Input Handling: Regex, Logs & Serializing"

Validating input isn't just about values, it's about context too.

Read more


Input Validation Handling Regex Logs Serialize

 Versioning Data Validation
Versioning Data Validation

Input validation is a must for any application but changing rules can make it tricky.

Read more


Version Validation Data

 Input Filtering & Validation with Aura.Filter
Input Filtering & Validation with Aura.Filter

The Aura.Filter component provides effective and easy to use data filtering & validation features.

Read more


Validation Library Filter Aura Framework

 Iniscan - A Security Best Practices php.ini Scanner
Iniscan - A Security Best Practices php.ini Scanner

Securing your configuration is important - let this tool help

Read more


Phpini Scanner Iniscan Opensource

 "Core Concepts: Access Control (A Primer)"
"Core Concepts: Access Control (A Primer)"

Good access control systems (and its management) are key to an application's security.

Read more


Access Control Coreconcepts

 Implementing Custom Two-Factor Auth (with Twilio)
Implementing Custom Two-Factor Auth (with Twilio)

Implement your own SMS-based two-factor authentication via the Twilio API.

Read more


Twofactor Custom Twilio

 Two-Factor with a Wave - Using Clef
Two-Factor with a Wave - Using Clef

The Clef service provides an interactive, easy to implement two-factor solution.

Read more


Twofactor Clef Wave

 "Core Concepts: Trust Boundaries"
"Core Concepts: Trust Boundaries"

Trust boundaries are the gatekeepers for data in your applications.

Read more


Coreconcepts Threat Boundary

 "Security Standards: XACML - Extensible Access Control Markup Language"
"Security Standards: XACML - Extensible Access Control Markup Language"

The XACML standard from OASIS provides an attribute-based authentication structure.

Read more


Standards Xacml Accesscontrol Markup

 The Plight of the Password
The Plight of the Password

Passwords must die, find out how to help that along in your own applications.

Read more


Password Twofactor Federated Identity

 Effective Security Logging with Monolog
Effective Security Logging with Monolog

Logging is a tricky subject - what to log, when to log and what tools to use.

Read more


Logging Monolog Audit

 The Secure Development Lifecycle
The Secure Development Lifecycle

Learn about Microsoft's industry standard secure development practices.

Read more


Secure Development Lifecycle Microsoft

 Effective Validation with Respect
Effective Validation with Respect

The Respect Validation library helps validate and protect from bad user data.

Read more


Validation Library Respect Filter

 DREADing Your Security
DREADing Your Security

Using the DREAD threat modeling framework you can get a better view of the risk of your application.

Read more


Dread Threatmodel Rating Coreconcepts

 Two-Factor the Yubikey Way
Two-Factor the Yubikey Way

The Yubikey USB hardware token makes two-factor authentication as easy as pushing a button.

Read more


Twofactor Yubikey Api

 Safety in PHP Dependencies with Composer
Safety in PHP Dependencies with Composer

Composer providies easy package management for PHP developers, but be careful with what you use.

Read more


Composer Packagist Thirdparty Library Module

 "API Authentication: HMAC with Public/Private Hashes"
"API Authentication: HMAC with Public/Private Hashes"

Implementing a public/private HMAC hashing layer to your API helps authenticate and validate the request.

Read more


Api Authentication Publichash Privatehash Hmac

 Beware the Mass Assignment
Beware the Mass Assignment

Mass assignment vulnerabilities can be a hard-to-find issue in your applications. Learn how to prevent them.

Read more


Vulnerability Massassignment Model

 "Core Concepts: Attack Surface"
"Core Concepts: Attack Surface"

Knowing the exposed points of your application can help heighten your security and defenses.

Read more


Coreconcepts Attack Surface

 Password Hashing with Zend\Crypt
Password Hashing with Zend\Crypt

The Zend\Crypt component of the Zend Framework makes bcrypting your passwords simple.

Read more


Encrption Bcrypt Password Hash

 Google's Two-Factor Auth - Online or Offline
Google's Two-Factor Auth - Online or Offline

The Google Authenticator smartphone application makes two-factor auth simple, even without a connection.

Read more


Twofactor Authentication Google Authenticator

 Two-Factor Auth Integration with Duo Security
Two-Factor Auth Integration with Duo Security

Using the Duo Security API you can manage multiple users and integrations, all through a REST interface

Read more


Twofactor Authentication Duosecurity Api Webservice

 Easy Two-Factor Authentication with Authy
Easy Two-Factor Authentication with Authy

Using the Authy REST API, you can quickly and easily integrate two-factor auth into your system.

Read more


Twofactor Authentication Authy Api Webservice

 Security in the Round
Security in the Round

Keeping the "bigger picture" in mind when assessing the security of your application is vital.

Read more


Security Theaterintheround Policy

 SQLi in NoSQL - A Word of Warning
SQLi in NoSQL - A Word of Warning

Just because you're using a NoSQL db doesn't mean you're safe from SQL injections.

Read more


Sqli Sqlinjection Nosql Mongodb

 "Core Concepts: Attack Patterns"
"Core Concepts: Attack Patterns"

Attack patterns provide a common language to refer to threat types and methods of attack.

Read more


Attack Pattern Coreconcepts

 STRIDEing for Security
STRIDEing for Security

The STRIDE method of threat modeling gives you a simple way to evaluate the possible weak points in your application.

Read more


Stride Sdlc Threatmodel

 Code Defensively
Code Defensively

Sometimes the best defense is a good offense - "think like an attacker" with these hints to prevent exploits.

Read more


Code Bestpractice Tutorial

 The External CSRF Threat & Protecting Your App
The External CSRF Threat & Protecting Your App

Cross-site Request Forgeries are still a common threat. Learn how to protect your app from this pesky issue.

Read more


Csrf Introduction

 Fail Fast Securely
Fail Fast Securely

One key to keeping an app secure is the when & how of dealing with failure.

Read more


Code Exception Error Tutorial

 "Core Concepts: Defense in Depth"
"Core Concepts: Defense in Depth"

Part of the "Core Concepts" series, examines the "Defence in Depth" thought pattern to secure your app.

Read more


Coreconcepts Defenseindepth

 An Introduction to Content Security Policy
An Introduction to Content Security Policy

Learn how to protect your site with a Content Security Policy limiting Javascript, CSS and reporting.

Read more


Csp Policy Tutorial Introduction

 Using Mozilla Persona with PHP & jQuery
Using Mozilla Persona with PHP & jQuery

An introduction to this new tool and implementing it with jQuery and a bit of PHP

Read more


Mozilla Persona Tutorial Javascript Jquery

 "Tools of the Trade: WebGoat & DVWA"
"Tools of the Trade: WebGoat & DVWA"

Learn about the WebGoat and Damn Vulnerable Web Application tools to practice your testing skills.

Read more



 "Dirty Data: Protecting Your App from Your Users"
"Dirty Data: Protecting Your App from Your Users"

All user data is tainted, but how to you effectively deal with it? Read on...

Read more



 Encrypted Sessions with PHP
Encrypted Sessions with PHP

Use a simple custom session handler in PHP to protect your session data on the server.

Read more




 "TCrypto: Encrypted data storage for PHP applications"
"TCrypto: Encrypted data storage for PHP applications"

Learn how to use the TCrypto library to protect your data.

Read more



 Preventing XXE in PHP
Preventing XXE in PHP

XML External Entity attacks are a lesser-known threat, learn how to protect your PHP application.

Read more



 "Shared Hosting: PHP Session Security"
"Shared Hosting: PHP Session Security"

A few things to think about when using PHP sessions, especially on a shared server.

Read more



 Effective File Upload Handling Tips
Effective File Upload Handling Tips

Handling user input can be tricky, file uploads even more so - here's some do's, don't and musts.

Read more



 "OWASP Top Ten: Broken Authentication and Session Management"
"OWASP Top Ten: Broken Authentication and Session Management"

A look at one of the "Top 10" from the OWASP largest vulnerabilities list

Read more


Owasp Session Authentication

 "Casting Your Net: Securing Your Site with Skipfish"
"Casting Your Net: Securing Your Site with Skipfish"

See how to use this simple tool to help find flaws in your applications.

Read more



 Protect Yourself with the Google Safe Browsing API
Protect Yourself with the Google Safe Browsing API

Google offers an API that tells you if a site is "safe". Read on to learn how to use it.

Read more



 Playing Your Cards Close - Custom Error & Exception Handling
Playing Your Cards Close - Custom Error & Exception Handling

Default PHP error handling shares way too much information - learn how to use custom handlers to prevent it.

Read more



 Stay Safe in Your Php.ini
Stay Safe in Your Php.ini

The default settings in PHP's configuration aren't all secure, here's a few you should change.

Read more



 Can't Trust the $_SERVER
Can't Trust the $_SERVER

PHP's $_SERVER suportglobal contains some values that come from the user - be careful what you use!

Read more



 "OWASP Top Ten: Cross-Site Scripting (XSS)"
"OWASP Top Ten: Cross-Site Scripting (XSS)"

A look at one of the "Top 10" from the OWASP largest vulnerabilities list

Read more


Xss Owasp


Read more articles


Enjoying the articles and tutorials here on Websec.io? Consider becoming a patron with a one-time or recurring donation!
Search

Securing PHP

The Securing PHP ebook series helps introduce you to basic security concepts and some of the most common security issues in web applications.