Blog

Automate Laravel security checks in your GitHub Actions pipeline. Set up composer audit, static analysis, StackShield post-deploy scans, and block merges when vulnerabilities are found.

Matt King

June 4, 2026

Read More

Your session configuration is probably insecure by default. Learn how to configure HttpOnly, SameSite, Secure flags, session expiration, and driver selection to prevent hijacking and fixation.

Matt King

June 2, 2026

Read More

Only 22% of Laravel apps have a Content Security Policy. Learn how to implement CSP with spatie/laravel-csp, handle Livewire and Vite nonces, and avoid the mistakes that break production.

Matt King

May 30, 2026

Read More

CISA added the Livewire RCE vulnerability (CVE-2025-54068) to the Known Exploited Vulnerabilities catalog, linking it to active exploitation by Iranian APT MuddyWater. A Laravel ecosystem package is now on the same US government list as Apple and Microsoft. Here is what that changes for your team.

Matt King

May 28, 2026

Read More

A local privilege escalation vulnerability in the Linux kernel affects every server running a kernel from 2017 onward. Laravel Forge has issued a specific advisory. The exploit is 732 bytes, works reliably, and is active in the wild. Here is what Laravel teams need to do.

Matt King

May 26, 2026

Read More

Two command injection vulnerabilities in Composer's Perforce driver (CVE-2026-40261 and CVE-2026-40176) can be exploited even if Perforce is not installed on your system. Malicious package metadata from any Composer repository can trigger arbitrary shell command execution. Update to Composer 2.9.6 immediately.

Matt King

May 23, 2026

Read More

On April 30, 2026, attackers compromised intercom/intercom-php on Packagist (20.7 million lifetime installs). The malicious version auto-executed as a Composer plugin, downloading Bun and exfiltrating GitHub tokens, SSH keys, and environment variables. Here is what happened and how to protect yourself.

Matt King

May 21, 2026

Read More

Laravel Reverb versions 1.6.3 and below have a critical insecure deserialization vulnerability. When horizontal scaling is enabled, Reverb passes Redis channel data directly into unserialize() without class restrictions. If your Redis is unauthenticated, attackers can achieve full remote code execution. Here is how to check and fix it.

Matt King

May 19, 2026

Read More

A security-focused review of Laravel 13 for teams upgrading from Laravel 12. Covers new defaults, deprecated patterns, configuration changes, and a post-upgrade security checklist.

Matt King

May 16, 2026

Read More

A comprehensive PHP security audit guide covering dependency scanning, php.ini hardening, input validation, common vulnerability classes, static analysis tools, and web server configuration.

Matt King

May 14, 2026

Read More

A deep dive into Laravel session security. Learn how cookie flags, session drivers, and config/session.php settings protect against hijacking, fixation, and sidejacking attacks.

Matt King

May 9, 2026

Read More

How to add security gates to your Laravel CI/CD pipeline with GitHub Actions. Covers dependency scanning, static analysis, secret detection, and automated security monitoring.

Matt King

May 7, 2026

Read More

Laravel Horizon exposes your entire queue system, including job payloads, failed jobs with user data, and worker status. Here is how to lock it down properly in production.

Matt King

May 2, 2026

Read More

A step-by-step external penetration testing methodology for Laravel applications. Covers reconnaissance, fingerprinting, common exploit paths, tools, and when to hire a professional.

Matt King

April 30, 2026

Read More

Most Laravel deployments expose far more network services than developers realise. From MySQL and Redis to forgotten Vite dev servers, open ports give attackers a roadmap to your infrastructure. Here is how to find and close them.

Matt King

April 28, 2026

Read More

Cross-site scripting bypasses Laravel's default escaping more often than you think. Cover Blade's triple-brace pitfall, Livewire injection, and raw HTML output.

Matt King

April 27, 2026

Read More

A step-by-step guide to auditing the security of a Laravel application. Covers dependency scanning, configuration review, external scanning, code review patterns, and how to prioritize findings.

Matt King

April 26, 2026

Read More

SOC 2 and ISO 27001 audits increasingly flag missing or misconfigured security headers. Learn which headers auditors look for, how to implement them in Laravel middleware, and how to monitor compliance continuously.

Matt King

April 24, 2026

Read More

Typosquatting, dependency confusion, and hijacked maintainer accounts. A breakdown of how PHP supply chain attacks work, real incidents, and what you can do to protect your Composer dependencies.

Matt King

April 22, 2026

Read More

Vercel confirmed a security breach on April 19, 2026 after attackers compromised a third-party AI tool to pivot into internal systems. Environment variables, API keys, and deployment data were exposed. Here is what happened and how to protect your applications.

Matt King

April 20, 2026

Read More

The 40 security checks we run on every Laravel app before it goes live. Most apps fail at least 5. Covers exposed .env files, debug mode, missing headers, CORS, session config, and dependency vulnerabilities.

Matt King

April 15, 2026

Read More

File uploads are one of Laravel's most dangerous attack surfaces. Learn how attackers exploit validation gaps, path traversal, and storage misconfigs to achieve RCE.

Matt King

April 14, 2026

Read More

Dangling DNS records are one of the most overlooked attack vectors in Laravel deployments. Learn how subdomain takeover works, why deprovisioned cloud resources create exploitable gaps, and how to protect your application.

Matt King

April 7, 2026

Read More

Wildcard origins, reflected headers, and exposed credentials. These five CORS misconfigurations in Laravel let attackers bypass same-origin protections.

Matt King

March 31, 2026

Read More

The OWASP Top 10 2025 added supply chain failures at #3 and error handling at #10, while injection dropped to #5. Here is the full updated list and what Laravel developers need to do differently.

Matt King

March 24, 2026

Read More

The first NIST DNS security update since 2013. New guidance on Protective DNS, encrypted DNS (DoH/DoT), DNSSEC, and dangling record cleanup. Here are the 6 key changes and what to do.

Matt King

March 23, 2026

Read More

GitGuardian found 260,000 exposed Laravel APP_KEYs on GitHub. A leaked APP_KEY lets attackers forge cookies, deserialize objects, and get full RCE on your server. Here's how the attack chain works and how to rotate your key safely.

Matt King

March 19, 2026

Read More

CVE-2025-54068 is a critical remote code execution vulnerability in Livewire v3 that allows unauthenticated attackers to execute arbitrary code on your server. With 130,000+ applications affected, here is how to check if you are vulnerable and patch it.

Matt King

March 19, 2026

Read More

Three malicious Packagist packages disguised as Laravel utilities deploy a cross-platform RAT that gives attackers full shell access, reads your .env, and exfiltrates credentials. Here is what happened, how to check if you are affected, and what to do.

Matt King

March 16, 2026

Read More

GitLab patched a high-severity two-factor authentication bypass (CVE-2026-0723, CVSS 7.4) that lets attackers hijack accounts. Here is what the vulnerability is, who is affected, and how to remediate it.

Matt King

March 12, 2026

Read More

Laravel's AI SDK, Boost, and tools like Cursor and Claude Code are changing how we build applications. But over 40% of AI-generated code contains security flaws. Here is how to ship faster without opening the door to attackers.

Matt King

March 12, 2026

Read More

A comprehensive, 30-point security checklist covering every layer of your Laravel application. From .env protection and security headers to debug mode detection and DNS security.

Matt King

March 11, 2026

Read More

External Attack Surface Management continuously discovers and monitors your internet-facing assets for security risks. Learn how EASM differs from DAST, SAST, and pentesting, and why every team shipping web apps needs it.

Matt King

March 11, 2026

Read More

The complete production hardening guide for Laravel. Covers headers, sessions, environment config, rate limiting, authentication, and continuous monitoring.

Matt King

March 11, 2026

Read More

Compare the best security tools for Laravel. Covers static analysis, dependency scanning, external monitoring, penetration testing, and WAFs with a feature comparison table.

Matt King

March 10, 2026

Read More

A side-by-side comparison of continuous security monitoring and annual penetration testing. Learn when you need each, what they cost, and how they work together to protect your Laravel application.

Matt King

March 10, 2026

Read More

18% of Laravel apps run debug mode in production. Attackers use exposed stack traces, environment variables, and database credentials to compromise your app.

Matt King

March 9, 2026

Read More

SQL injection through raw queries. XSS from unescaped Blade output. CSRF bypasses on API routes. Every OWASP Top 10 category mapped to Laravel-specific vulnerabilities with code you can copy to fix them.

Matt King

March 9, 2026

Read More

12% of Laravel apps have publicly accessible .env files. Learn how attackers find them, what they steal, and how to verify yours is protected.

Matt King

March 8, 2026

Read More

Laravel Telescope records every request, query, job, and log entry in your application. Left exposed in production, it gives attackers a real-time view into your entire system.

Matt King

March 8, 2026

Read More

An attack surface is the total number of points where an attacker can try to enter or extract data from your system. Understanding yours is the first step to reducing it.

Matt King

March 7, 2026

Read More

Your composer.lock probably has vulnerable packages right now. Run composer audit to find them, fix with targeted updates, and add automated vulnerability scanning to your CI/CD pipeline so nothing ships unpatched.

Matt King

March 7, 2026

Read More

The complete index of Laravel security resources. Find fix guides for exposed .env files, debug mode, XSS, CSRF, CORS, session security, and more. Plus checklists, comparison pages, and free scanning tools.

Matt King

March 6, 2026

Read More

Discover how to secure your Laravel application with the right security headers.

Matt King

March 6, 2026

Read More