Blog

A practical security checklist for Laravel developers. Covers .env protection, debug mode, session cookies, CORS, CSRF, security headers, dependency audits, and more. Copy this list into your deployment workflow.

Matt King

April 15, 2026

Read More

File uploads are one of the most dangerous features in any Laravel application. A single misconfiguration can let an attacker upload a PHP shell and take full control of your server. Here is how to lock it down properly.

Matt King

April 14, 2026

Read More

Dangling DNS records are one of the most overlooked attack vectors in Laravel deployments. Learn how subdomain takeover works, why deprovisioned cloud resources create exploitable gaps, and how to protect your application.

Matt King

April 7, 2026

Read More

Your Laravel CORS policy might be letting any website read your API responses. Learn how wildcard origins with credentials, reflected Origin headers, and permissive config/cors.php defaults create security holes, with exact fixes for each.

Matt King

March 31, 2026

Read More

The OWASP Top 10 2025 added supply chain failures at #3 and error handling at #10, while injection dropped to #5. Here is the full updated list and what Laravel developers need to do differently.

Matt King

March 24, 2026

Read More

The first DNS security update from NIST since 2013 changes how you should handle Protective DNS, encrypted DNS, DNSSEC, and dangling records. Here are the 6 key changes and what to do about each one.

Matt King

March 23, 2026

Read More

GitGuardian found 260,000 exposed Laravel APP_KEYs on GitHub. With the right key, attackers can achieve remote code execution on your server in seconds. Here is how the attack works and how to protect yourself.

Matt King

March 19, 2026

Read More

CVE-2025-54068 is a critical remote code execution vulnerability in Livewire v3 that allows unauthenticated attackers to execute arbitrary code on your server. With 130,000+ applications affected, here is how to check if you are vulnerable and patch it.

Matt King

March 19, 2026

Read More

Three malicious Packagist packages disguised as Laravel utilities deploy a cross-platform RAT that gives attackers full shell access, reads your .env, and exfiltrates credentials. Here is what happened, how to check if you are affected, and what to do.

Matt King

March 16, 2026

Read More

GitLab patched a high-severity two-factor authentication bypass (CVE-2026-0723, CVSS 7.4) that lets attackers hijack accounts. Here is what the vulnerability is, who is affected, and how to remediate it.

Matt King

March 12, 2026

Read More

Laravel's AI SDK, Boost, and tools like Cursor and Claude Code are changing how we build applications. But over 40% of AI-generated code contains security flaws. Here is how to ship faster without opening the door to attackers.

Matt King

March 12, 2026

Read More

A comprehensive, 30-point security checklist covering every layer of your Laravel application. From .env protection and security headers to debug mode detection and DNS security.

Matt King

March 11, 2026

Read More

External Attack Surface Management continuously discovers and monitors your internet-facing assets for security risks. Learn how EASM differs from DAST, SAST, and pentesting, and why every team shipping web apps needs it.

Matt King

March 11, 2026

Read More

A practical, code-heavy guide to securing Laravel applications. Covers configuration hardening, authentication, input validation, XSS and CSRF protection, API security, security headers, dependency management, and production deployment.

Matt King

March 11, 2026

Read More

An honest comparison of security tools for Laravel applications. Covers static analysis, dependency scanning, external monitoring, penetration testing, WAFs, and code review tools. Includes a feature comparison table to help you pick the right combination.

Matt King

March 10, 2026

Read More

A side-by-side comparison of continuous security monitoring and annual penetration testing. Learn when you need each, what they cost, and how they work together to protect your Laravel application.

Matt King

March 10, 2026

Read More

Debug mode in production exposes stack traces, database credentials, environment variables, and internal paths. Learn exactly what it reveals, how attackers use it, and how to make sure it never reaches production.

Matt King

March 9, 2026

Read More

A hands-on mapping of every OWASP Top 10 (2021) category to specific Laravel vulnerabilities, with code examples of what goes wrong and how to fix it.

Matt King

March 9, 2026

Read More

Your .env file contains database credentials, API keys, and encryption secrets. If it's accessible from the web, attackers already have everything they need. Here's how to check and fix it.

Matt King

March 8, 2026

Read More

Laravel Telescope records every request, query, job, and log entry in your application. Left exposed in production, it gives attackers a real-time view into your entire system.

Matt King

March 8, 2026

Read More

An attack surface is the total number of points where an attacker can try to enter or extract data from your system. Understanding yours is the first step to reducing it.

Matt King

March 7, 2026

Read More

Learn how to run composer audit to detect security vulnerabilities in your PHP dependencies, fix them with composer update, and automate audits in your CI/CD pipeline.

Matt King

March 7, 2026

Read More

The complete index of Laravel security resources. Find fix guides for exposed .env files, debug mode, XSS, CSRF, CORS, session security, and more. Plus checklists, comparison pages, and free scanning tools.

Matt King

March 6, 2026

Read More

Discover how to secure your Laravel application with the right security headers.

Matt King

March 6, 2026

Read More