php-security
Safeguard articles tagged "php-security" — guides, analysis, and best practices for software supply chain and application security.
19 articles
Hardening PHP-FPM and Apache Container Images
PHP containers ship with defaults built for compatibility, not security. Opcache settings, disabled functions, and process ownership close the gaps.
Preventing open redirect vulnerabilities in Laravel
Laravel's own ->away() helper is documented as a bypass of its URL safety checks — feed it user input and you've built an open redirect, CWE-601, into the framework's happy path.
PHP code security fundamentals: injection, deserialization, and file inclusion
PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.
PHP Laravel security best practices
One line, `protected $guarded = [];`, can turn a Laravel signup form into an admin-account minting machine — here's how to lock down five real Laravel risk areas.
Laravel Security Best Practices: Mass Assignment, Blade, and Debug Mode
Laravel's defaults are solid, but $guarded misuse, {!! !!} in Blade, and APP_DEBUG=true in production have all led to real compromises. Here's the fix.
Laravel Lang supply chain advisory
A leaked PAT let attackers rewrite 700+ git tags across four Laravel-Lang packages, planting a credential stealer that ran on every PHP request.
PHP security best practices guide
A practical PHP security best practices guide covering SQL injection, deserialization RCE, upload hardening, dependency risk, and real exploited CVEs like CVE-2024-4577.
Securing Laravel PHP applications
CVE-2021-3129, leaked APP_KEYs, and Eloquent mass assignment still compromise Laravel apps in 2026 — here's how each attack works and how to close it.
PHP Security Explained
PHP still runs ~74% of the web. From the 2024 PHP-CGI RCE to WordPress plugin flaws, here's what actually breaks PHP apps in production.
Composer Arbitrary Code Execution via Platform Config Han...
CVE-2021-41116 let malicious composer.json platform config values inject PHP code into Composer autoload files, causing code execution on install.
The Six-Month PEAR go-pear.phar Installer Compromise
How a single tampered PEAR go-pear.phar installer sat undetected on pear.php.net for months, what it could do, and what the PHP ecosystem learned about supply chain trust.
Packagist typosquatting report
A report on Packagist typosquatting campaigns targeting Composer/PHP packages, how attackers exploit install hooks, and how to detect them.