Any scripts or styles you include into your web application are called “subresources.” As these files can impact your application’s overall operation, it is critical for writing secure software that you ensure the integrity of any subresource loaded into the page. Otherwise, an untrusted party might inject malware, cryptocurrency miners, or another malicious payload into […]

If your application’s stability depends on the availability of a third-party system, the reliability of that external system becomes critical to the smooth operation of your own. The circuit breaker pattern is a proven way to protect against an unstable system causing problems with yours. Use it, and you won’t be surprised by an unplanned […]

Leveraging commonly used and well-defined design patterns is paramount in ensuring your application is stable and maintainable over time. Extending those design patterns to focus on security-first is an effective way of ensuring your application and its data are reliably secure. One such pattern is a Value Object, which can be customized to automatically and […]

Having a tool like Mozilla’s Observatory scan the health of your site is useless if you lack the tools to properly secure it and pass the inspections in the first place. You can set most of the required settings directly in the source of your application.

Among the easiest ways to ensure your website or web application is behaving security is to subject it to objective, third-party security scans. The Mozilla Observatory is one such tool that helps ensure strong security for any system operating on the public Internet. The Observatory automatically scans your website to make sure you correctly configure […]

An oft-overlooked aspect of any security practice or policy is its usability. Do the checks and controls added for the sake of security make the system harder for end-users to do their jobs? An unusable system will never be fully implemented and will fail to secure even the simplest of platforms.

Any system dealing with human users collects some information about those users. That information is private and needs to be kept secure. The most effective way to do so is to avoid its storage in the first place, i.e., by tokenizing the data.

One of the most overused terms of security is “token.” It’s used in many different, often unrelated contexts to mean very different things. This month we’re going to discuss one form of tokens—replay prevention nonces—and how to use them.

Buzzwords permeate security. It’s vital for everyone working in application development to have a solid understanding of what the most common buzzwords are—partly so they can protect against misusing them.

Certificates issued to protect transport layer security (TLS) help identify servers and protect data in transit through encryption. They can also be used to identify clients making the connection. Let’s look at ways to handle TLS configuration and usage correctly in a PHP application.