Securing Credentials for PHP with Docker
Securing Credentials for PHP with Docker

Keeping secrets secure with cutting edge technology doesn't have to be hard.

Read more


Docker Secret Credentials Php Authentication

Keeping Credentials Secure in PHP
Keeping Credentials Secure in PHP

Effective PHP credential security can be tricky, but simpler is better than complex

Read more


Authentication Authorization

Package Protection with Roave/SecurityAdvisories
Package Protection with Roave/SecurityAdvisories

The SecurityAdvisories package from Roave protects your application from installing vulnerable and malicious packages.

Read more


Packcage Advisory Check Composer

Using Canaries for Input Detection and Response
Using Canaries for Input Detection and Response

The Canary PHP library combines input matching and automatic notification to make detecting potential attacks easier.

Read more


Canary Package Tutorial Detection Response Php

Does This Null Padding Make my Hash Look Big?
Does This Null Padding Make my Hash Look Big?

Hash length extension vulnerabilities can easily slip in under the radar but are easy to prevent.

Read more


Hash Padding Vulnerability

Building a Secure API - Part 5
Building a Secure API - Part 5

Build out the secure login and request authorization flow in a few final steps

Read more


Api Security Series Part5 Rest Secureapi

Building a Secure API - Part 4
Building a Secure API - Part 4

Building out the database and models to power the API

Read more


Api Security Series Part4 Rest Secureapi

Building a Secure API - Part 3
Building a Secure API - Part 3

Improving the Slim structure to make it more extendable

Read more


Api Security Series Part3 Rest Secureapi

Building a Secure API - Part 2
Building a Secure API - Part 2

Take the first steps into using Slim to create a secure API

Read more


Api Security Series Part2 Rest Secureapi

Building a Secure API - Part 1
Building a Secure API - Part 1

API security doesn't have to be confusing if you build it in from the start.

Read more


Api Security Series Part1 Rest Secureapi

Build Security In - Introduction (Part 1)
Build Security In - Introduction (Part 1)

Get started building security into your applications

Read more


Buildsecurityin Introduction Part1 Tutorial

Securing Legacy Applications - Part 2
Securing Legacy Applications - Part 2

Securing legacy code can be tricky, here's a few more hints

Read more


Secure Legacy Application Series Part2

Securing Legacy Applications - Part 1
Securing Legacy Applications - Part 1

Securing legacy code can be tricky, here's a few "quick hits" to get you started

Read more


Secure Legacy Application Series Part1

Defaulting to Secure
Defaulting to Secure

Defaulting to secure settings in your tools helps keep the world a safer place

Read more


Default Secure Settings

Passwords are Dead, Long Live Passwords
Passwords are Dead, Long Live Passwords

Passwords are a thorn in the security of any application. How can we fix this?

Read more


Password Policy Reuse Storage

The Importance of Effective Validation
The Importance of Effective Validation

Good validation practices on incoming data can save lots of trouble down the line.

Read more


Input Validation Validate Data

Risky Business
Risky Business

Proper risk evaluation can minimize the impact an attack can have on your apps.

Read more


Risk Balance Evaluation Threatmodel

Security Policy Evaluation in Laravel with PropAuth
Security Policy Evaluation in Laravel with PropAuth

Property-based policy evaluation is a more flexible alternative to the usual hard-coded checks

Read more


Policy Authorization Laravel Propauth Property

Security is for Beginners
Security is for Beginners

Why isn't application security taught as a beginner concept?

Read more


Beginner Introduction Opinion

Input Validation Strategies - Introduction
Input Validation Strategies - Introduction

Validating input can help prevent most common security issues - let's learn how.

Read more


Input Validation Filtering Injection

Securing Requests with JWT (JSON Web Tokens)
Securing Requests with JWT (JSON Web Tokens)

JWTs can provide an extra layer of validation and protecton for you requests.

Read more


Jwt Jwe Json Web Token

"Fun with Input Handling: Regex, Logs & Serializing"
"Fun with Input Handling: Regex, Logs & Serializing"

Validating input isn't just about values, it's about context too.

Read more


Input Validation Handling Regex Logs Serialize

Versioning Data Validation
Versioning Data Validation

Input validation is a must for any application but changing rules can make it tricky.

Read more


Version Validation Data

Input Filtering & Validation with Aura.Filter
Input Filtering & Validation with Aura.Filter

The Aura.Filter component provides effective and easy to use data filtering & validation features.

Read more


Validation Library Filter Aura Framework

Iniscan - A Security Best Practices php.ini Scanner
Iniscan - A Security Best Practices php.ini Scanner

Securing your configuration is important - let this tool help

Read more


Phpini Scanner Iniscan Opensource

"Core Concepts: Access Control (A Primer)"
"Core Concepts: Access Control (A Primer)"

Good access control systems (and its management) are key to an application's security.

Read more


Access Control Coreconcepts

Implementing Custom Two-Factor Auth (with Twilio)
Implementing Custom Two-Factor Auth (with Twilio)

Implement your own SMS-based two-factor authentication via the Twilio API.

Read more


Twofactor Custom Twilio

Two-Factor with a Wave - Using Clef
Two-Factor with a Wave - Using Clef

The Clef service provides an interactive, easy to implement two-factor solution.

Read more


Twofactor Clef Wave

"Core Concepts: Trust Boundaries"
"Core Concepts: Trust Boundaries"

Trust boundaries are the gatekeepers for data in your applications.

Read more


Coreconcepts Threat Boundary

"Security Standards: XACML - Extensible Access Control Markup Language"
"Security Standards: XACML - Extensible Access Control Markup Language"

The XACML standard from OASIS provides an attribute-based authentication structure.

Read more


Standards Xacml Accesscontrol Markup

The Plight of the Password
The Plight of the Password

Passwords must die, find out how to help that along in your own applications.

Read more


Password Twofactor Federated Identity

Effective Security Logging with Monolog
Effective Security Logging with Monolog

Logging is a tricky subject - what to log, when to log and what tools to use.

Read more


Logging Monolog Audit

The Secure Development Lifecycle
The Secure Development Lifecycle

Learn about Microsoft's industry standard secure development practices.

Read more


Secure Development Lifecycle Microsoft

Effective Validation with Respect
Effective Validation with Respect

The Respect Validation library helps validate and protect from bad user data.

Read more


Validation Library Respect Filter

DREADing Your Security
DREADing Your Security

Using the DREAD threat modeling framework you can get a better view of the risk of your application.

Read more


Dread Threatmodel Rating Coreconcepts

Two-Factor the Yubikey Way
Two-Factor the Yubikey Way

The Yubikey USB hardware token makes two-factor authentication as easy as pushing a button.

Read more


Twofactor Yubikey Api

Safety in PHP Dependencies with Composer
Safety in PHP Dependencies with Composer

Composer providies easy package management for PHP developers, but be careful with what you use.

Read more


Composer Packagist Thirdparty Library Module

"API Authentication: HMAC with Public/Private Hashes"
"API Authentication: HMAC with Public/Private Hashes"

Implementing a public/private HMAC hashing layer to your API helps authenticate and validate the request.

Read more


Api Authentication Publichash Privatehash Hmac

Beware the Mass Assignment
Beware the Mass Assignment

Mass assignment vulnerabilities can be a hard-to-find issue in your applications. Learn how to prevent them.

Read more


Vulnerability Massassignment Model

"Core Concepts: Attack Surface"
"Core Concepts: Attack Surface"

Knowing the exposed points of your application can help heighten your security and defenses.

Read more


Coreconcepts Attack Surface

Password Hashing with Zend\Crypt
Password Hashing with Zend\Crypt

The Zend\Crypt component of the Zend Framework makes bcrypting your passwords simple.

Read more


Encrption Bcrypt Password Hash

Google's Two-Factor Auth - Online or Offline
Google's Two-Factor Auth - Online or Offline

The Google Authenticator smartphone application makes two-factor auth simple, even without a connection.

Read more


Twofactor Authentication Google Authenticator

Two-Factor Auth Integration with Duo Security
Two-Factor Auth Integration with Duo Security

Using the Duo Security API you can manage multiple users and integrations, all through a REST interface

Read more


Twofactor Authentication Duosecurity Api Webservice

Easy Two-Factor Authentication with Authy
Easy Two-Factor Authentication with Authy

Using the Authy REST API, you can quickly and easily integrate two-factor auth into your system.

Read more


Twofactor Authentication Authy Api Webservice

Security in the Round
Security in the Round

Keeping the "bigger picture" in mind when assessing the security of your application is vital.

Read more


Security Theaterintheround Policy

SQLi in NoSQL - A Word of Warning
SQLi in NoSQL - A Word of Warning

Just because you're using a NoSQL db doesn't mean you're safe from SQL injections.

Read more


Sqli Sqlinjection Nosql Mongodb

"Core Concepts: Attack Patterns"
"Core Concepts: Attack Patterns"

Attack patterns provide a common language to refer to threat types and methods of attack.

Read more


Attack Pattern Coreconcepts

STRIDEing for Security
STRIDEing for Security

The STRIDE method of threat modeling gives you a simple way to evaluate the possible weak points in your application.

Read more


Stride Sdlc Threatmodel

Code Defensively
Code Defensively

Sometimes the best defense is a good offense - "think like an attacker" with these hints to prevent exploits.

Read more


Code Bestpractice Tutorial

The External CSRF Threat & Protecting Your App
The External CSRF Threat & Protecting Your App

Cross-site Request Forgeries are still a common threat. Learn how to protect your app from this pesky issue.

Read more


Csrf Introduction

Fail Fast Securely
Fail Fast Securely

One key to keeping an app secure is the when & how of dealing with failure.

Read more


Code Exception Error Tutorial

"Core Concepts: Defense in Depth"
"Core Concepts: Defense in Depth"

Part of the "Core Concepts" series, examines the "Defence in Depth" thought pattern to secure your app.

Read more


Coreconcepts Defenseindepth

An Introduction to Content Security Policy
An Introduction to Content Security Policy

Learn how to protect your site with a Content Security Policy limiting Javascript, CSS and reporting.

Read more


Csp Policy Tutorial Introduction

Using Mozilla Persona with PHP & jQuery
Using Mozilla Persona with PHP & jQuery

An introduction to this new tool and implementing it with jQuery and a bit of PHP

Read more


Mozilla Persona Tutorial Javascript Jquery

"Tools of the Trade: WebGoat & DVWA"
"Tools of the Trade: WebGoat & DVWA"

Learn about the WebGoat and Damn Vulnerable Web Application tools to practice your testing skills.

Read more



"Dirty Data: Protecting Your App from Your Users"
"Dirty Data: Protecting Your App from Your Users"

All user data is tainted, but how to you effectively deal with it? Read on...

Read more



Encrypted Sessions with PHP
Encrypted Sessions with PHP

Use a simple custom session handler in PHP to protect your session data on the server.

Read more




"TCrypto: Encrypted data storage for PHP applications"
"TCrypto: Encrypted data storage for PHP applications"

Learn how to use the TCrypto library to protect your data.

Read more



Preventing XXE in PHP
Preventing XXE in PHP

XML External Entity attacks are a lesser-known threat, learn how to protect your PHP application.

Read more



"Shared Hosting: PHP Session Security"
"Shared Hosting: PHP Session Security"

A few things to think about when using PHP sessions, especially on a shared server.

Read more



Effective File Upload Handling Tips
Effective File Upload Handling Tips

Handling user input can be tricky, file uploads even more so - here's some do's, don't and musts.

Read more



"OWASP Top Ten: Broken Authentication and Session Management"
"OWASP Top Ten: Broken Authentication and Session Management"

A look at one of the "Top 10" from the OWASP largest vulnerabilities list

Read more


Owasp Session Authentication

"Casting Your Net: Securing Your Site with Skipfish"
"Casting Your Net: Securing Your Site with Skipfish"

See how to use this simple tool to help find flaws in your applications.

Read more



Protect Yourself with the Google Safe Browsing API
Protect Yourself with the Google Safe Browsing API

Google offers an API that tells you if a site is "safe". Read on to learn how to use it.

Read more



Playing Your Cards Close - Custom Error & Exception Handling
Playing Your Cards Close - Custom Error & Exception Handling

Default PHP error handling shares way too much information - learn how to use custom handlers to prevent it.

Read more



Stay Safe in Your Php.ini
Stay Safe in Your Php.ini

The default settings in PHP's configuration aren't all secure, here's a few you should change.

Read more



Can't Trust the $_SERVER
Can't Trust the $_SERVER

PHP's $_SERVER suportglobal contains some values that come from the user - be careful what you use!

Read more



"OWASP Top Ten: Cross-Site Scripting (XSS)"
"OWASP Top Ten: Cross-Site Scripting (XSS)"

A look at one of the "Top 10" from the OWASP largest vulnerabilities list

Read more


Xss Owasp


Read more articles


Support Us!

Enjoying the articles and tutorials here on Websec.io? Consider supporting Websec.io and helping share the message of security with more developers!
Search

Securing PHP

The Securing PHP ebook series helps introduce you to basic security concepts and some of the most common security issues in web applications.