Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why. (more about me, contact)

My trainings

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security December 11–12, 2018 Prahanow 2 days
HTTPS for developers and admins December 13, 2018 Praha

Trainings in Prague are held regularly in the middle of March, June, September, and December, in other cities irregularly.

In-house trainings

Any public training can also be turned into an in-house training. As an extra, I offer these in-house-only courses:

Security for users

Looking for Introduction to PHP, Classes and objects in PHP? I've handed them over to Martin Hujer. I've discontinued Web application performance, Martin Michálek runs a similar training.

My articles

Using JavaScript to modify URLs and hide fbclid (November 7, 2018, Blog)

Roughly two weeks ago, Facebook started adding a tracking parameter, fbclid (Facebook click id?), to all external links users share. And I didn't like it so I'm hiding it.

(read more…)

Disable TLS 1.0 & 1.1 today (October 16, 2018, Blog)

Microsoft, Google, Apple & Mozilla announced yesterday that they're removing TLS 1.0 and TLS 1.1 protocols from Internet Explorer, Edge, Chrome, Safari & Firefox browsers in the beginning of 2020. Your visitors most probably don't use them already so you can disable them in your server configs today. But let's verify that first using the “Handshake Simulation” tool available in the SSL Labs Server Test.

(read more…)

Browsers are hiding the padlock and it's a Good Thing™ (October 15, 2018, Blog)

Magical properties are often attributed to the padlock icon 🔒 which marks “secure” pages. For example, you'll often hear that the icon indicates trustworthy websites that won't abuse your data and passwords. The padlock is gradually being removed and that's a Good Thing™. But why?

(read more…)

All articles

My talks

Favorites

HTTP hlavičky, Subresource Integrity a spol. chrání vaše návštěvníky před bezpečnostními chybami
XSS PHP CSP ETC OMG WTF BBQ, o Cross-Site Scriptingu a Content Security Policy
Hlava není na hesla, použijte na ně raději password manager
HTTPS, co, proč, jak, zač, nač, kdy, kde, s kým a proti komu
Webová bezpečnost, popis několika základních útoků i méně známých triků
Jak jsme zlepšili zabezpečení Slevomatu a jak byste měli udělat to samé
Zahashovat heslo, uložit, …, profit!, o správném hashování hesel

Upcoming talks

Úniky dat, co to vůbec je a jak na ně reagovat
November 15, 2018, WebTop100 2018 (25 minutes)

I'll happily do a talk at your event or conference, let me know!

Talks

Cracking passwords, or why use password_hash()
October 28, 2018, phpCE 2018 (50 minutes)

Vyhledávejte na netu jako MacGyver
October 6, 2018, LinuxDays 2018 (50 minutes)

Vyhledávání na Internetu pomocí specializovaných vyhledávačů
September 26, 2018, CyberCon Brno 2018 (60 minutes)

XSS PHP CSP ETC OMG WTF BBQ
June 27, 2018, Madeo Office Opening Party (60 minutes)

Everything is User Input
June 23, 2018, PHP Prague (20 minutes)

All talks

Me answering questions

Blokování webů a stránek
June 4, 2016, Český rozhlas Online Plus

Na 11. srazu Na volné noze
June 4, 2016, 11. sraz Na volné noze

Webový vývojář musí mít hackerské myšlení
May 30, 2016, Kyberbezpečnost.cz

Hlavní je používat hlavu, ale ne na hesla
May 3, 2016, Host Radiožurnálu

Jak zvýšit zabezpečení vašeho webu?
February 17, 2016, MladýPodnikatel.cz

All interviews