Stephen Rees-Carter (@valorin): "⚠️ Top 10 Laravel security issues I've found during audits ⚠️ #1 → Exposed API Keys & Passwords How many times do I need to say it? Don't commit secrets into git!😡 Don't commit secrets into git!😡 Don't commit secrets into git!😡 Don't commit secrets into git!😡 The unsu…"

The app for independent voices

Stephen Rees-Carter Apr 23, 2023

Securing Laravel

⚠️ Top 10 Laravel security issues I've found during audits ⚠️

#1 → Exposed API Keys & Passwords

How many times do I need to say it?

Don't commit secrets into git!😡

The unsurprising champion: API keys and passwords committed into version control, and scattered across codebases.

API keys unlock billing, storage, PII, and lots more, so it's a terrible idea given how widely shared code and repos are between 3rd party services and devs.

The tools I use to find secrets are:

Gitleaks: github.com/zricethezav/…
TruffleHog: github.com/trufflesecur…

I wrote about them over here:

Securing Laravel

Security Tip: Finding Secrets

Apr 23, 2023

11:50 PM

The app for independent voices

Log in or sign up