Posts marked with “security”
Security Corner: Basics of Password Hashing
Every web application that allows users to authenticate needs to ensure their users’ credentials are afforded the best protection possible. Conventionally, this is done by storing only the hash of a password rather than the password itself. Luckily, password hashing in PHP is secure, safe, and remarkably straightforward to implement.
About PHP’s Compromised Git Commit
PHP internals contributor Sara Golemon answers questions from a panel of php[architect] and PHP Ugly contributors about the recent git compromise that affected the PHP project and what they’re doing about it. You can also watch a video of the roundtable with Sara. More on This From Rasmus Lerdorf: It wasn't, but we caught it […]
Security Corner: Supply Chain Security
The recent security breach of SolarWinds was one of the worst the community has seen in recent years. It isn’t due to the used hack’s severity but the impact on almost all of SolarWinds’ downstream customers. Let’s look at if something like this could happen in the PHP ecosystem and what we could do to […]
Security Corner: Enforcing Subresource Integrity
Any scripts or styles you include into your web application are called “subresources.” As these files can impact your application’s overall operation, it is critical for writing secure software that you ensure the integrity of any subresource loaded into the page. Otherwise, an untrusted party might inject malware, cryptocurrency miners, or another malicious payload into […]
Security Corner: Circuit Breakers
If your application’s stability depends on the availability of a third-party system, the reliability of that external system becomes critical to the smooth operation of your own. The circuit breaker pattern is a proven way to protect against an unstable system causing problems with yours. Use it, and you won’t be surprised by an unplanned […]
Running Parallel
While we think of our scripts running for one request at a time, PHP web applications handle multiple, simultaneous requests at a time. In this issue, we look at asynchronous programming using Swoole, handling serverless file uploads, implementing security headers, dealing with race conditions, and more.
Security Corner: Configurable Security
Having a tool like Mozilla’s Observatory scan the health of your site is useless if you lack the tools to properly secure it and pass the inspections in the first place. You can set most of the required settings directly in the source of your application.
Security Corner: Observable Security
Among the easiest ways to ensure your website or web application is behaving security is to subject it to objective, third-party security scans. The Mozilla Observatory is one such tool that helps ensure strong security for any system operating on the public Internet. The Observatory automatically scans your website to make sure you correctly configure […]
Security Corner: Usable Security
An oft-overlooked aspect of any security practice or policy is its usability. Do the checks and controls added for the sake of security make the system harder for end-users to do their jobs? An unusable system will never be fully implemented and will fail to secure even the simplest of platforms.
Interview with Eric Mann, Security Corner contributor
In this Episode Eric van Johnson and John Congdon talk to Security Corner contributor Eric Mann about keeping your website secure. How a breach sparked his interest in security. The value of tokens and nonces. What area of security needs more attention. How to use end-to-end encryption for communication. Using Linux as your daily driver […]