It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function like hash_equals()! securinglaravel.com/security-tip-c… #Laravel

Identifying email billing scams is such a hard problem that AWS has decided to change their billing emails domain from the very confusing and hard to identify "email.amazon.com" to the totally simple and not-suspicious-in-any-way "…and-invoicing.us-east-1.amazonaws.com". WTF AWS??!! 🤦

⚠️ New CRITICAL vulnerability disclosed in Livewire v3, you need to update ASAP! ⚠️ This is a rather sneaky one that gives an attacker RCE (under the right conditions), and can be done unauthenticated with no user input... hence CRITICAL. 😱 securinglaravel.com/security-notic… #Laravel

This affects Laravel Pulse and Filament 🦒 users so update if you’re using either package!

Does anyone in the Laravel community have any recommendation for automated code vulnerability scanning tool? We have tried GitHub Code Security & Amazon Inspector - both are terrible at scanning PHP (in particular Laravel projects).

Something I should have included in the original post: Livewire may be included through a dependency, like Pulse or Filament, and not show up in your composer.json! 🚨 Run `composer show livewire/livewire` to check if it's installed - or just update everything regardless!

It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! 🤨 securinglaravel.com/security-tip-d… #Laravel

The State Of Laravel 2025 survey has started! You can now participate to identify how the ecosystem changed over the past 12 months! Please RT for reach ❤️ stateoflaravel.com/participate?re…

For those who missed it, I recently launched sponsors on Securing Laravel! 🎉 Sponsoring SL is the perfect way to get your brand in front of thousands of security-conscious Laravel devs, and support my security work within the community. More details: securinglaravel.com/sponsor/

Big if true: df59ab956f46fdf657a4dad9293638c9 See you at Laracon! 😇

We've all heard about SQLi and XSS, but what about another big injection vector: Command Injection? It's less common but just as critical if your app does anything on the command line. Plus, it's not as easy to blindly escape be done... 😯 securinglaravel.com/security-tip-w… #Laravel

This is your periodic reminder to ensure bcrypt rounds is set to 12 (or higher)! Laravel's default was increased from 10 to 12 2 years ago, so if you're working on an older codebase, make sure you've updated `bcrypt.rounds`. securinglaravel.com/security-tip-i… #Laravel

Worried about the security of your Laravel app, or found vulnerable code & need to check there isn't more? 😱 Book in a Laravel Security Audit and Penetration Test today! I'll help secure your code, find vulns and give practical advice for Laravel apps! valorinsecurity.com

Anyone want to throw a pile of money at me to fund a really cool research idea I have? 🤣 Will take a bit of time to get set up, but would be a great thing to have in the Laravel and PHP community.

Off to a good start this week: I thought Michael Dyrynda was supposed to be in the air already, but I got my timing slightly wrong... 🤦 Still, it's not all bad, now he'll spend his entire 15 hour flight wondering what I'm up to. 😈

We are a movement now 💪. What started from a few Larabelles on stage has become a movement. We have a place in tech. We are here and we are growing. Diversity is a strength and power, and for those naysayers saying a community like Larabelles is pointless, think again.