the basic terms and concepts used in Cryptography?
If you learn nothing else, remember that you don't encrypt passwords, you hash them.
the most secure cryptography libraries available to PHP developers?
Best choice: libsodium. For those who already know not to roll their own cryptography, this post should serve as a good Step Two.
How do I implement…
secure encrypted cookies in PHP?
For best results, use authenticated secret-key encryption facilitated by libsodium (available in PECL).
secure random numbers, strings, and passphrases in PHP?
The hard part is implementing a replacement for
mt_rand()backed by a CSPRNG. PHP 7 offers
random_int(). Everything else falls into place.
"remember me" cookies in PHP?
Our strategy is detailed and proactively secure against information (e.g. timing) leaks.
secure "I forgot my password" features in PHP?
If you wish to allow users to reset their passwords, read this.
secure PHP sessions?
Use HTTPS, generate session identifiers with a CSPRNG, make sure your configuration is solid. Don't store everything in a cookie (unless you absolutely must).
secure user authentication in PHP?
Hash your passwords with a modern password hashing algorithm. If you feel the need to add a pepper, you should instead consider encrypting the hashes.
(Do not encrypt the passwords themselves).
URL parameter encryption?
In a word: Don't. Re-think your application design.
secure file uploading?
To protect your server, store all uploaded files outside of your document root so they aren't directly accessible/executable.
an optimal Double HMAC strategy?
Double HMAC is a way to stop timing attacks. We propose a robust and dependable way to implement it.
How do I…
determine the potential impact of a security vulnerability?
Don't focus on impact, aim for zero outstanding security issues.
prevent SQL injection in PHP?
Use prepared statements. For dynamic queries, strictly whitelist anything that cannot be escaped.
prevent Cross-Site Scripting (XSS) in PHP?
Use context-sensitive escaping strategies (your template engine should provide this).
reduce the risk for my business's website (for non-experts)?
Use a password manager, meticulously update your software, use secure protocols and apps.
securely handle users' passwords?
One of: Argon2, scrypt, bcrypt, PBKDF2. Blog post contains example code.
simply and securely encrypt/decrypt strings in PHP?
Easy. Use libsodium or a renowned cryptography library, such as the PHP encryption library by Defuse Security.
teach myself application security?
We maintain a application security reading list on Github.
Why should I…
authenticate my ciphertexts?
An encrypted message can still be tampered with unless you authenticate it.
avoid using the mcrypt extension in PHP projects?
The mcrypt extension works against developers seeking a secure implementation, libmcrypt has been abandoned, and the OpenSSL extension is better.
invest time and money into improving the security of my software?
The average data breach costs millions of dollars. A year of development time costs thousands. Do the math.