What is/are…
-
the basic terms and concepts used in Cryptography?
If you learn nothing else, remember that you don't encrypt passwords, you hash them. -
the most secure cryptography libraries available to PHP developers?
Best choice: libsodium. For those who already know not to roll their own cryptography, this post should serve as a good Step Two.
How do I implement…
-
secure encrypted cookies in PHP?
For best results, use authenticated secret-key encryption facilitated by libsodium (available in PECL). -
secure random numbers, strings, and passphrases in PHP?
The hard part is implementing a replacement forrand()andmt_rand()backed by a CSPRNG. PHP 7 offersrandom_int(). Everything else falls into place. -
"remember me" cookies in PHP?
Our strategy is detailed and proactively secure against information (e.g. timing) leaks. -
secure "I forgot my password" features in PHP?
If you wish to allow users to reset their passwords, read this. -
secure PHP sessions?
Use HTTPS, generate session identifiers with a CSPRNG, make sure your configuration is solid. Don't store everything in a cookie (unless you absolutely must). -
secure user authentication in PHP?
Hash your passwords with a modern password hashing algorithm. If you feel the need to add a pepper, you should instead consider encrypting the hashes.
(Do not encrypt the passwords themselves). -
URL parameter encryption?
In a word: Don't. Re-think your application design. -
secure file uploading?
To protect your server, store all uploaded files outside of your document root so they aren't directly accessible/executable. -
an optimal Double HMAC strategy?
Double HMAC is a way to stop timing attacks. We propose a robust and dependable way to implement it.
How do I…
-
determine the potential impact of a security vulnerability?
Don't focus on impact, aim for zero outstanding security issues. -
prevent SQL injection in PHP?
Use prepared statements. For dynamic queries, strictly whitelist anything that cannot be escaped. -
prevent Cross-Site Scripting (XSS) in PHP?
Use context-sensitive escaping strategies (your template engine should provide this). -
reduce the risk for my business's website (for non-experts)?
Use a password manager, meticulously update your software, use secure protocols and apps. -
securely handle users' passwords?
One of: Argon2, scrypt, bcrypt, PBKDF2. Blog post contains example code. -
simply and securely encrypt/decrypt strings in PHP?
Easy. Use libsodium or a renowned cryptography library, such as the PHP encryption library by Defuse Security. -
teach myself application security?
We maintain a application security reading list on Github.
Why should I…
-
authenticate my ciphertexts?
An encrypted message can still be tampered with unless you authenticate it. -
avoid using the mcrypt extension in PHP projects?
The mcrypt extension works against developers seeking a secure implementation, libmcrypt has been abandoned, and the OpenSSL extension is better. -
invest time and money into improving the security of my software?
The average data breach costs millions of dollars. A year of development time costs thousands. Do the math.