https://blog.xarc.dev/tags/legacy/Recent content in Legacy on Lukas ManeraHugoen-us<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Tue, 07 Apr 2026 00:17:55 +0200https://blog.xarc.dev/posts/2026/04/playbook-for-hardening-legacy-php/Mon, 06 Apr 2026 12:00:00 +0200https://blog.xarc.dev/posts/2026/04/playbook-for-hardening-legacy-php/<p>This is my practical follow-up to my post on <a href="https://blog.xarc.dev/posts/2026/04/hardening-legacy-php-in-constrained-environments/">threat modeling legacy PHP in constrained environments</a>.</p> <p>That post is more about mindset, prioritization, and how to think about risk when the system is messy but the business relies on it.</p> <p>This one is the hands-on version. It is the kind of outline I come back to at the start of a new project where the codebase is fragile, the DevOps story is rudimentary at best, and nobody is getting six months to clean things up before security work starts.</p>https://blog.xarc.dev/posts/2026/04/hardening-legacy-php-in-constrained-environments/Sun, 05 Apr 2026 12:00:00 +0200https://blog.xarc.dev/posts/2026/04/hardening-legacy-php-in-constrained-environments/<p>The moment you realize that the roughest codebase you’ve seen is also one of the most valuable systems you’ve touched, things start to look a little different.</p> <p>“Just modernize it” is not a security strategy if the main thing that matters is keeping core business processes running in a system that drives major revenue.</p> <p>If you get called into an old PHP application, it can feel a bit like arriving at a crash site. After the initial shock, instead of judging, you start to think like an emergency responder: assess the scene, stabilize what matters most, and reduce the risk without making the situation worse.</p>