loading...

re: What are your default 'safe' meaning in software security? VIEW POST

FULL DISCUSSION
 

Most times, the human is the weakest link when it comes to security. I recommend the following to secure yourself and the services you use. Having a secure codebase won't do much if an attacker can bypass that by attacking your passwords.

  • Use secure admin passwords (with numbers and symbols) for any third-party services used for the app.
  • Do regular resets for admin passwords.
  • Don't store passwords on a sticky note or a text file.
  • Enable 2FA for any third-party services used for the app.
  • Do not reuse the same password for every service.
  • Don't click links in sketchy emails (phishing). For questionable emails, go directly to that website and log in instead of clicking the link.

Some for code:

  • Hashed and salted passwords.
  • Using prepared statements in SQL can help prevent against SQL injection.
  • Separate your environment variables from your code in a .env file, outside of your code. Do not put API keys or database connection information directly in your code. If it were ever open sourced, that would be visible to everyone.
    • I have also seen cases where credentials were in a .js file (intended to run for Node.js) and stored in a folder that was hosted on a web server. Since .js files should be viewable/runnable from a browser you could navigate to website.com/index.js and the credentials were visible.
  • For JWTs, you need a method to expire them. Otherwise, an attacker can get a user's JWT from local storage and make requests on their behalf.
  • Always confirm a user's permissions in server-side code, not client-side. A user should not be able to write &admin=true in the URL and gain access to an area they should not have access too.
 

Hi ryan thanks for advice. Been trying new Sodium hash format for now.

I use .env files but that same folder on server as my code is that okay?

I heard backthen some of Laravel folks with weak security server leaked .env files on google search

Code of Conduct Report abuse