Stephen Rees-Carter
@valorin.bsky.social
Friendly Hacker, Speaker, and PHP & Laravel Security Specialist.🕵️
I write securinglaravel.com and hack stuff on stage for fun. 😈
I'm found elsewhere too: https://pinkary.com/@valorin 🪄
I write securinglaravel.com and hack stuff on stage for fun. 😈
I'm found elsewhere too: https://pinkary.com/@valorin 🪄
Haven't bought tickets to my [email protected] Security Workshop yet?! 😲
I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. ⌛
This is your final warning... ⏰
events.humanitix.com/lets-hack-pr...
I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. ⌛
This is your final warning... ⏰
events.humanitix.com/lets-hack-pr...
"Let's Hack!" Pre-Laracon Security Workshop
Attending Laracon AU? Come along to
events.humanitix.com
October 17, 2025 at 12:08 AM
Haven't bought tickets to my [email protected] Security Workshop yet?! 😲
I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. ⌛
This is your final warning... ⏰
events.humanitix.com/lets-hack-pr...
I'll be locking in numbers early next week, so get your ticket TODAY or reach out to me directly. ⌛
This is your final warning... ⏰
events.humanitix.com/lets-hack-pr...
"Let's Hack!", my Pre-Laracon Security Workshop is just FIVE weeks away! 🎉
(So is @laracon.au... but let's be honest, priorities.)
Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 events.humanitix.com/lets-hack-pr...
(So is @laracon.au... but let's be honest, priorities.)
Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 events.humanitix.com/lets-hack-pr...
"Let's Hack!" Pre-Laracon Security Workshop
Attending Laracon AU? Come along to
events.humanitix.com
October 8, 2025 at 7:09 AM
"Let's Hack!", my Pre-Laracon Security Workshop is just FIVE weeks away! 🎉
(So is @laracon.au... but let's be honest, priorities.)
Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 events.humanitix.com/lets-hack-pr...
(So is @laracon.au... but let's be honest, priorities.)
Only 11 tickets left, & I need to confirm numbers with the venue, so if you've been thinking about it, now's the time!
👉 events.humanitix.com/lets-hack-pr...
If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands? 🤔
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: How Should APIs Respond to HTTP?
[Tip #123] If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands?
securinglaravel.com
September 29, 2025 at 1:18 PM
If an API client tries to connect via unencrypted HTTP, what should your API do: redirect to HTTPS, disable HTTP, offer a swift rebuke, or take matters into it's own hands? 🤔
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: What Is An HttpOnly Cookie?
[Tip #86] Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?
securinglaravel.com
September 25, 2025 at 10:08 AM
Cookies come in many shapes and sizes, and with multiple attributes just to confuse you... Have you ever wondered what the humble HttpOnly attribute actually does?
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Reposted by Stephen Rees-Carter
We'll never know how @valorin.bsky.social keeps getting invited back to speak at @laracon.au but we do know that he always puts on a heck of a talk when he does!
Learn how to defend your Hornburg on November 13-14!
Grab your ticket before 29 Sept to get a 👕 in your size 👉 laracon.au/tickets
Learn how to defend your Hornburg on November 13-14!
Grab your ticket before 29 Sept to get a 👕 in your size 👉 laracon.au/tickets
September 25, 2025 at 1:40 AM
We'll never know how @valorin.bsky.social keeps getting invited back to speak at @laracon.au but we do know that he always puts on a heck of a talk when he does!
Learn how to defend your Hornburg on November 13-14!
Grab your ticket before 29 Sept to get a 👕 in your size 👉 laracon.au/tickets
Learn how to defend your Hornburg on November 13-14!
Grab your ticket before 29 Sept to get a 👕 in your size 👉 laracon.au/tickets
Reposted by Stephen Rees-Carter
Security advocate and friendly hacker @valorin.bsky.social keeps finding his way back into the #LaraconAU lineup.
Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)
Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)
September 25, 2025 at 1:27 AM
Security advocate and friendly hacker @valorin.bsky.social keeps finding his way back into the #LaraconAU lineup.
Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)
Join us on November 13-14 for some practical security tips to help you defend your Hornburg (with or without Gandalf)
Laravel Security Tip: Do You Have a Permissions Policy?
What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com/security-tip...
#Laravel
What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com/security-tip...
#Laravel
Security Tip: Do You Have a Permissions Policy?
[Tip #85] What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com
September 24, 2025 at 1:11 AM
Laravel Security Tip: Do You Have a Permissions Policy?
What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com/security-tip...
#Laravel
What browser features do you have enabled on your site, and what can an XSS attack do if you don't disable them?
securinglaravel.com/security-tip...
#Laravel
Do you reset your 2FA secret keys when a user toggles TOTP off/on?
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱
securinglaravel.com/security-tip... #Laravel
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱
securinglaravel.com/security-tip... #Laravel
Security Tip: Don't Forget to Regenerate 2FA Secret Keys!
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: your 2FA secret keys may also be at risk!
securinglaravel.com
September 22, 2025 at 8:06 PM
Do you reset your 2FA secret keys when a user toggles TOTP off/on?
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱
securinglaravel.com/security-tip... #Laravel
It's not just passwords you need to worry about when it comes to authentication and stolen credentials: if an attacker can steal a 2FA secret key, they'll always have a valid TOTP! 😱
securinglaravel.com/security-tip... #Laravel
It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱
Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!
securinglaravel.com/security-tip...
#Laravel
Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!
securinglaravel.com/security-tip...
#Laravel
Security Tip: Prohibiting Destructive Commands on Production
[Tip #83] It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱
securinglaravel.com
September 18, 2025 at 10:08 AM
It's important to be paranoid when it comes to production environments - because if you forget you're logged into prod, you may end up dropping a database... or worse! 😱
Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!
securinglaravel.com/security-tip...
#Laravel
Laravel's new Prohibitable trait lets you disable Artisan Commands to avoid this!
securinglaravel.com/security-tip...
#Laravel
You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:
/.well-known/change-password
It should redirect to your change password form, so password managers can easily send users there.
securinglaravel.com/security-tip... #Laravel
/.well-known/change-password
It should redirect to your change password form, so password managers can easily send users there.
securinglaravel.com/security-tip... #Laravel
Security Tip: A Well-Known URL for Changing Passwords
[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!
securinglaravel.com
September 17, 2025 at 1:11 AM
You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:
/.well-known/change-password
It should redirect to your change password form, so password managers can easily send users there.
securinglaravel.com/security-tip... #Laravel
/.well-known/change-password
It should redirect to your change password form, so password managers can easily send users there.
securinglaravel.com/security-tip... #Laravel
Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: Bypassing Content-Security-Policy with <base>!
[Tip #122] Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈
securinglaravel.com
September 15, 2025 at 8:06 PM
Content Security Policies are awesome, but if you haven't fully configured all of your directives, it's possible to redirect requests, inherit Nonces, and get juicy CSP-bypassing XSS! 😈
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Sometimes when I sit down to write a Security Tip it comes together so quickly that I'm surprised I hadn't written it sooner. 🤓
The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! 😈
The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! 😈
September 15, 2025 at 7:13 AM
Sometimes when I sit down to write a Security Tip it comes together so quickly that I'm surprised I hadn't written it sooner. 🤓
The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! 😈
The one I'm about to publish came together perfectly, including the demo, and it has the bonus of being pure nightmare fuel. Win-win for me! 😈
So what you're saying is, you've all been off on a long weekend?
![Comic. [Building with large sign in front of it[ SIGN: Welcome to the *Biology Department* It has been [changeable sign: 3] days since we discovered something existentially horrifying about bugs that makes you question your whole reality](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:cz73r7iyiqn26upot4jtjdhk/bafkreigvmzverlrjgqp4mazbkhm43fpvv2hdbkd2t2646dhihozrwdcy24@jpeg)
September 12, 2025 at 12:08 AM
So what you're saying is, you've all been off on a long weekend?
Ugh, I hate it when apps switch from Next/Previous Tab switching to Most Recently Used (MRU) switching with Ctrl+Tab! MRU is only logical when you can't see the other tabs, otherwise it's a UX disconnect between display and keyboard. 😒
Looking at you Telegram! 😡
Looking at you Telegram! 😡
September 11, 2025 at 11:49 PM
Ugh, I hate it when apps switch from Next/Previous Tab switching to Most Recently Used (MRU) switching with Ctrl+Tab! MRU is only logical when you can't see the other tabs, otherwise it's a UX disconnect between display and keyboard. 😒
Looking at you Telegram! 😡
Looking at you Telegram! 😡
We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form, it can provide attackers with crucial intel! 😈
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: Don't Forget Your Registration Form!
[Tip#72] We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form... it can provide attackers with crucial intel!
securinglaravel.com
September 11, 2025 at 10:08 AM
We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form, it can provide attackers with crucial intel! 😈
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
HTTPS is everywhere & easy, but HTTP is still the default option browsers will attempt when given a raw domain. How do you stop an attacker from abusing this by hijacking the initial HTTP connection attempt? 😱
This is where HSTS comes in... 🔒
securinglaravel.com/security-tip... #Laravel
This is where HSTS comes in... 🔒
securinglaravel.com/security-tip... #Laravel
Security Tip: How Strict Is your Transport Security?
[Tip #82] HTTPS is everywhere & easy, but HTTP is still an option... How do you stop an attacker intercepting and downgrading connections to your site?
securinglaravel.com
September 10, 2025 at 1:11 AM
HTTPS is everywhere & easy, but HTTP is still the default option browsers will attempt when given a raw domain. How do you stop an attacker from abusing this by hijacking the initial HTTP connection attempt? 😱
This is where HSTS comes in... 🔒
securinglaravel.com/security-tip... #Laravel
This is where HSTS comes in... 🔒
securinglaravel.com/security-tip... #Laravel
Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! 😈
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: When Is XSS Not Strictly XSS? (But Still Bad!)
[Tip #121] Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! 😈
securinglaravel.com
September 8, 2025 at 8:06 PM
Technically, XSS involves injecting malicious Javascript, but sometimes you don't need any JS to get up to mischief! 😈
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Do you know what information is being leaked by the Referer header when your users click on external links?
If you site is public, you might be safe - but what if you have internal apps, or sensitive information in your URLs?
securinglaravel.com/security-tip... #Laravel #PHP
If you site is public, you might be safe - but what if you have internal apps, or sensitive information in your URLs?
securinglaravel.com/security-tip... #Laravel #PHP
Security Tip: Is Your Referrer Leaking Information?
[Tip #81] Do you know what information is being leaked by the Referer header when your users click on external links?
securinglaravel.com
September 4, 2025 at 10:08 AM
Do you know what information is being leaked by the Referer header when your users click on external links?
If you site is public, you might be safe - but what if you have internal apps, or sensitive information in your URLs?
securinglaravel.com/security-tip... #Laravel #PHP
If you site is public, you might be safe - but what if you have internal apps, or sensitive information in your URLs?
securinglaravel.com/security-tip... #Laravel #PHP
As useful as it sounds, nl2br() can potentially leave you open to Cross-Site Scripting (XSS) vulnerabilities... you should reach for CSS instead!
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: Don't Use nl2br()!
[Tip#67] As useful as it sounds, nl2br() can potentially leave you open to Cross-Site Scripting (XSS) vulnerabilities... you should reach for CSS instead!
securinglaravel.com
September 3, 2025 at 1:11 AM
As useful as it sounds, nl2br() can potentially leave you open to Cross-Site Scripting (XSS) vulnerabilities... you should reach for CSS instead!
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Reposted by Stephen Rees-Carter
🚨 The #LaraconAU talk titles are live! 🚨
👉 laracon.au/schedule
We’ll reveal who’s speaking on what next month - but for now… can you guess? 👀
Submit your guesses and you could win a premium hoodie 🐘💚
👉 laracon.au/schedule
We’ll reveal who’s speaking on what next month - but for now… can you guess? 👀
Submit your guesses and you could win a premium hoodie 🐘💚
Laracon AU 2025 - Brisbane, November 13-14
Laracon AU returns to QUT Gardens Theatre in Brisbane in 2025. Join us for two days of learning, growing, and networking with the Laravel community on November 13 - 14, 2025
laracon.au
September 2, 2025 at 1:27 AM
🚨 The #LaraconAU talk titles are live! 🚨
👉 laracon.au/schedule
We’ll reveal who’s speaking on what next month - but for now… can you guess? 👀
Submit your guesses and you could win a premium hoodie 🐘💚
👉 laracon.au/schedule
We’ll reveal who’s speaking on what next month - but for now… can you guess? 👀
Submit your guesses and you could win a premium hoodie 🐘💚
Reposted by Stephen Rees-Carter
Over the years, Stephen's security insights have transformed how I build applications. Not only are they more secure, but I have genuine peace of mind knowing I'm avoiding critical vulnerabilities. If you have 5 minutes to spare, dive into Stephen's content - you won't regret it. 👀
4 years of Securing Laravel! 🎂
🎉 120 Security Tips
🕵️ 37 In Depth articles
Thank you all for the support over the years!
securinglaravel.com/4-years/ #Laravel
🎉 120 Security Tips
🕵️ 37 In Depth articles
Thank you all for the support over the years!
securinglaravel.com/4-years/ #Laravel
4 years of Securing Laravel! 🎂
I almost missed it, but it's time to celebrate 4 years of Securing Laravel!
securinglaravel.com
September 1, 2025 at 8:12 AM
Over the years, Stephen's security insights have transformed how I build applications. Not only are they more secure, but I have genuine peace of mind knowing I'm avoiding critical vulnerabilities. If you have 5 minutes to spare, dive into Stephen's content - you won't regret it. 👀
Friendly reminder: Laravel 11 stops receiving bug fixes on Wednesday! 😱
This means you've only got 6 months to upgrade to 12 before security fixes are ended too. Don't put it off or you'll find yourself with an unsupported version before you realise it! ⌛
This means you've only got 6 months to upgrade to 12 before security fixes are ended too. Don't put it off or you'll find yourself with an unsupported version before you realise it! ⌛
September 1, 2025 at 8:06 PM
Friendly reminder: Laravel 11 stops receiving bug fixes on Wednesday! 😱
This means you've only got 6 months to upgrade to 12 before security fixes are ended too. Don't put it off or you'll find yourself with an unsupported version before you realise it! ⌛
This means you've only got 6 months to upgrade to 12 before security fixes are ended too. Don't put it off or you'll find yourself with an unsupported version before you realise it! ⌛
4 years of Securing Laravel! 🎂
🎉 120 Security Tips
🕵️ 37 In Depth articles
Thank you all for the support over the years!
securinglaravel.com/4-years/ #Laravel
🎉 120 Security Tips
🕵️ 37 In Depth articles
Thank you all for the support over the years!
securinglaravel.com/4-years/ #Laravel
4 years of Securing Laravel! 🎂
I almost missed it, but it's time to celebrate 4 years of Securing Laravel!
securinglaravel.com
September 1, 2025 at 7:59 AM
4 years of Securing Laravel! 🎂
🎉 120 Security Tips
🕵️ 37 In Depth articles
Thank you all for the support over the years!
securinglaravel.com/4-years/ #Laravel
🎉 120 Security Tips
🕵️ 37 In Depth articles
Thank you all for the support over the years!
securinglaravel.com/4-years/ #Laravel
For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1!
HMAC's are significantly harder to brute-force and don't suffer from collisions like simpler hashing algos.
securinglaravel.com/security-tip... #Laravel
HMAC's are significantly harder to brute-force and don't suffer from collisions like simpler hashing algos.
securinglaravel.com/security-tip... #Laravel
Security Tip: Use HMAC Hashes To Verify Data
[Tip#66] For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1.
securinglaravel.com
August 28, 2025 at 10:08 AM
For those situations where you need to generate a repeatable hash or signature, reach for HMAC, rather than MD5 or SHA1!
HMAC's are significantly harder to brute-force and don't suffer from collisions like simpler hashing algos.
securinglaravel.com/security-tip... #Laravel
HMAC's are significantly harder to brute-force and don't suffer from collisions like simpler hashing algos.
securinglaravel.com/security-tip... #Laravel
Before you reach for a hashing function, stop and think about what you're hashing and why you're hashing it...
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel
Security Tip: Do You Really Need a Hash for That?
[Tip#65] Before you reach for a hashing function, stop and think about what you're hashing and why you're hashing it...
securinglaravel.com
August 27, 2025 at 1:11 AM
Before you reach for a hashing function, stop and think about what you're hashing and why you're hashing it...
securinglaravel.com/security-tip... #Laravel
securinglaravel.com/security-tip... #Laravel