Cross-site request forgery (CSRF) is a security risk where an attacker tricks a visitor into making a malicious request to your site from another, entirely unrelated site in their control. This particular vulnerability seemingly disappeared from most teams’ radars a few years ago but is beginning to reappear in the wild.

PHP adds syntax and slowly adapts to enable new programming techniques. Whether you are comfortable with imperative, object-oriented, or functional programming, the language does make it possible, and new syntax like arrow functions simplify the syntax. This issue looks into asynchronous PHP, new Browser APIs, building REST APIs, callables and closures in PHP, Code Igniter 4, and more!

One of the most overused terms of security is “token.” It’s used in many different, often unrelated contexts to mean very different things. This month we’re going to discuss one form of tokens—replay prevention nonces—and how to use them.

Passwords are part of our everyday life. You may not even think about them most of the time, that is until you forget one. What if you never had to use a password again? What if I told you it was more secure not to have a password? Would you believe me? Find out why […]

While no list regarding security, risks, or best practices can ever be exhaustive, they often serve as decent starting points. Understanding some of the most common classes of security mistakes is a great way to begin a conversation about total application security. The following seven security risks are critical to any application development team; they’re easy mistakes to make but are equally easy to avoid if you keep your eyes open

By Eric Mann Most self-taught developers in our industry learn to leverage an API long before they spend time learning lower-level coding patterns. This experience isn’t necessarily a bad thing. All the same, it’s important to take some time to dig deeper and better understand the tools and technologies at the core of our trade. […]

As early as 2018, many governments began calling for the tech community to create so-called “responsible encryption.” Their goal is for tech companies to provide blessed “back doors” for law enforcement to decrypt and otherwise inspect messages and data created by citizens within their borders. These calls and the arguments made to support them, however, […]

Imagine an army of 100,000 robots, each hitting reload on your home page, several hundred times per second. How quickly would your site or application die? Having had to field such attacks in a past life, I found surviving them to be extremely difficult. My odds improved over time from better understanding them and preparing […]

By Mark Niebergall Ensuring software reliability, resiliency, and recoverability is best achieved by practicing effective defensive coding. Take a crash course in defensive coding with PHP as we cover attack surfaces, input validation, canonicalization, secure type checking, external library vetting, cryptographic agility, exception management, automatic code analysis, peer code reviews, and automated testing. Learn some […]

The Symfony project has had a profound influence on the PHP ecosystem since its first release in 2005. Projects including Drupal, Laravel, and countless custom web applications, use Symfony components. This month, we look at the new features of Symfony 4 and how to modernize legacy code.