Stephen Rees-Carter

All my socials 👉 pinkary.com/@valorin Laravel Security: 1️⃣ Weekly Security Tips & In Depth Articles: securinglaravel.com 2️⃣ Practical Security Course: practicallaravelsecurity.com 3️⃣ Security Audits and Penetration Tests: valorinsecurity.com

The State Of Laravel 2025 survey has started! You can now participate to identify how the ecosystem changed over the past 12 months! Please RT for reach ❤️ stateoflaravel.com/participate?re…

Anyone want to throw a pile of money at me to fund a really cool research idea I have? 🤣 Will take a bit of time to get set up, but would be a great thing to have in the Laravel and PHP community.

Worried about the security of your Laravel app, or found vulnerable code & need to check there isn't more? 😱 Book in a Laravel Security Audit and Penetration Test today! I'll help secure your code, find vulns and give practical advice for Laravel apps! valorinsecurity.com

This is your periodic reminder to ensure bcrypt rounds is set to 12 (or higher)! Laravel's default was increased from 10 to 12 2 years ago, so if you're working on an older codebase, make sure you've updated `bcrypt.rounds`. securinglaravel.com/security-tip-i… #Laravel

We've all heard about SQLi and XSS, but what about another big injection vector: Command Injection? It's less common but just as critical if your app does anything on the command line. Plus, it's not as easy to blindly escape be done... 😯 securinglaravel.com/security-tip-w… #Laravel

Big if true: df59ab956f46fdf657a4dad9293638c9 See you at Laracon! 😇

For those who missed it, I recently launched sponsors on Securing Laravel! 🎉 Sponsoring SL is the perfect way to get your brand in front of thousands of security-conscious Laravel devs, and support my security work within the community. More details: securinglaravel.com/sponsor/

It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! 🤨 securinglaravel.com/security-tip-d… #Laravel

Does anyone in the @laravelphp community have any recommendation for automated code vulnerability scanning tool? We have tried @github Code Security & Amazon Inspector - both are terrible at scanning PHP (in particular Laravel projects).

Something I should have included in the original post: Livewire may be included through a dependency, like Pulse or Filament, and not show up in your composer.json! 🚨 Run `composer show livewire/livewire` to check if it's installed - or just update everything regardless!

This affects @laravelpulse and @filamentphp users so update if you’re using either package!

⚠️ New CRITICAL vulnerability disclosed in Livewire v3, you need to update ASAP! ⚠️ This is a rather sneaky one that gives an attacker RCE (under the right conditions), and can be done unauthenticated with no user input... hence CRITICAL. 😱 securinglaravel.com/security-notic… #Laravel

Identifying email billing scams is such a hard problem that AWS has decided to change their billing emails domain from the very confusing and hard to identify "email.amazon.com" to the totally simple and not-suspicious-in-any-way "…and-invoicing.us-east-1.amazonaws.com". WTF AWS??!! 🤦

It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a timing attack safe string comparison function like hash_equals()! securinglaravel.com/security-tip-c… #Laravel

I've had some availability open up, so if you're looking for a Laravel Security Audit and Penetration Test, DM (or email) me! 🕵️ I specialise in Laravel security audits and have helped many dev teams find and fix some 😱 critical vulnerabilities. valorinsecurity.com #Laravel

Is it a "premature optimisation" to add authorisation to your app before you know how your authorisation will be structured, or should you consider authorisation and add placeholders when writing new code and building new features from the start? securinglaravel.com/security-tip-a… #Laravel

🎤 That’s a wrap for week one of #LaraconAU speaker reveals! ✅ @MidgetK (DCODE Group) ✅ @valorin (Valorin Security) ✅ @MishManners (AI Founder) Incredible lineup already - and we’re just getting started.

Ugh, I hate this place. Spammed with DM notifications for group spam, but absolutely no notifications for legitimate DMs. 😡 If you're trying to reach out to me, send me an email (stephen -at- valorinsecurity - com) or DM via a different platform. I probably won't get it here.