What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

2025 in Review - The Year Web Security Mattered More Than Ever

As 2025 draws to a close, it feels like the right time to look back at a year that tested the resilience of web applications, reinforced lessons we have been preaching all year, and delivered some genuinely exciting developments for the tools we use every day.

If there is a single thread running through 2025, it is this: the teams that stayed current with their software were the ones that slept soundly. The ones that did not found themselves scrambling, patching, and in some cases, explaining breaches to their customers.

Here is our retrospective on the year that was.

The Security Headlines That Defined 2025

It would be an understatement to say that 2025 was a busy year for web security. We saw critical vulnerabilities across nearly every major framework and platform, and the speed of exploitation continued to accelerate.

React2Shell (CVE-2025-55182) was arguably the most significant web security event of the year. We covered it in detail when it dropped in early December, but the numbers bear repeating. A CVSS 10.0 vulnerability in React Server Components allowed unauthenticated remote code execution via a single HTTP request. Default Next.js installations using the App Router were exploitable out of the box. State-sponsored threat groups were actively exploiting it within hours of disclosure, and over 59,000 servers were reportedly compromised within 48 hours. If you run Next.js in production, this was the most important patch of the year.

Earlier in the year, the Next.js middleware bypass (CVE-2025-29927) demonstrated a different kind of risk. By adding a single header to an HTTP request, attackers could skip middleware entirely, bypassing authentication, authorisation, and security checks. It was a stark reminder that even well-architected applications are only as secure as the frameworks they run on.

On the Laravel side, the GitGuardian and Synacktiv research into exposed APP_KEYs made for uncomfortable reading. Over 260,000 Laravel APP_KEYs were found on GitHub, with more than 600 applications confirmed vulnerable to remote code execution. The root cause was depressingly simple: developers committing .env files to version control. It is a mistake that costs nothing to prevent and everything to recover from.

These were not isolated incidents. Throughout the year, we saw critical vulnerabilities in Livewire, authentication bypasses in popular packages, and a steady drumbeat of CVEs across the PHP ecosystem. Every single one of them had the same fix: update your software.

Cloudflare - A Year of Outages

If 2025 taught us anything about infrastructure, it is that centralisation carries real risk. Cloudflare, which sits in front of a staggering proportion of the web's traffic, had a year it would rather forget.

The 18th November outage was the headline incident. A database permissions change caused Cloudflare's Bot Management feature file to double in size. When that oversized file propagated across their global network, proxy servers crashed, and roughly one in five web pages became unreachable. X, ChatGPT, Shopify, Spotify, and countless other services went dark. The outage lasted several hours and exposed a painful circular dependency: Cloudflare's own dashboard login relied on Turnstile, which itself was down, meaning customers could not even log in to manage their own configurations during the incident.

Less than three weeks later, on 5th December, Cloudflare suffered another global outage while deploying security rules to help protect against the React2Shell vulnerability. The irony was not lost on anyone. Cloudflare subsequently declared "Code Orange: Fail Small," an internal programme to overhaul their deployment practices and ensure that configuration changes can no longer cascade across their entire network simultaneously.

These were far from the only incidents. Earlier in the year, Cloudflare R2 suffered outages in February and March, the 1.1.1.1 DNS resolver went down for over an hour in July, the dashboard was unavailable in September, and severe congestion on peering links to AWS us-east-1 in August degraded service for hours. Each incident reinforced the same lesson: relying on a single provider for critical infrastructure, no matter how large they are, is a risk that needs to be actively managed.

Laravel 12 and the Ecosystem

On a more positive note, 2025 was a strong year for Laravel. Laravel 12 shipped on 24th February, and while it was deliberately positioned as a maintenance release with minimal breaking changes, the real story was the continuous stream of quality-of-life improvements that followed throughout the year.

The new starter kits for React, Vue, and Livewire, complete with TypeScript support and modern UI component libraries, made spinning up new projects faster than ever. The optional WorkOS AuthKit integration brought social authentication, passkeys, and SSO support out of the box. For teams building APIs and SPAs, the developer experience took a noticeable step forward.

Under the hood, Laravel 12.x releases throughout the year brought automatic eager loading to tackle N+1 queries, a failover queue driver for high-availability deployments, deferred HTTP batching, and improvements to Artisan, collections, and the service container. The framework felt like it matured significantly across the year without any single release demanding attention.

The broader Laravel ecosystem continued to thrive too. Filament v4 shipped in August with unified schemas, significantly faster table rendering, and built-in multi-factor authentication. Laravel Forge, which we rely on for server management, continued to refine its provisioning and deployment workflows.

PHP 8.5

PHP 8.5 landed on 20th November, and it delivered features that the community had been requesting for years. The pipe operator makes chaining function calls readable and clean. The clone-with syntax simplifies working with immutable value objects. The new URI extension provides proper URL handling without reaching for third-party packages. And the NoDiscard attribute helps catch a category of bugs where return values are accidentally ignored.

For Laravel teams, the upgrade path from PHP 8.4 to 8.5 was smooth, and the new language features will gradually make their way into framework and package code throughout 2026.

CraftCMS is Going Laravel

For our team, the announcement at Dot All 2025 in Lisbon was one of the highlights of the year. Pixel and Tonic confirmed that Craft CMS 6 will be built on Laravel, replacing the Yii framework that has underpinned Craft since its inception.

This is a big deal for any agency that works with both Laravel and CraftCMS. For us, it means our APIs, our backend services, and our CMS layer will all share the same foundation. One ecosystem. One set of tools. One pool of developer knowledge. The context-switching between Yii patterns and Laravel patterns that we have lived with for years is coming to an end.

The Craft team has handled the announcement well. A Yii 2 adapter package means most existing plugins will work in Craft 6 with minimal changes. Craft 5 has been designated as a Long-Term Support release with five years of support after Craft 6 ships. And the timeline is realistic: alpha in Q1 2026, beta in Q3 2026, and a general availability release in Q4 2026.

Beyond the framework change, Craft 6 is bringing content approval workflows, scheduled drafts, inline commenting on entry edit pages, activity logs, and a built-in content importer. It is shaping up to be a significant release on every front.

The Rise of Vibe Coding - and Why We Are Cautious

2025 saw an explosion of AI-powered code generation tools. Platforms like v0.app and Lovable.dev made it possible for anyone to generate functional-looking web applications in minutes. The speed is genuinely impressive. The security posture of the generated code is genuinely concerning.

We've always warned about the dangers of vibe coding, and our position has not changed. These tools are brilliant for prototyping and exploring ideas. They are not a substitute for professional development when the code is going into production. The generated output frequently lacks input validation, uses outdated dependencies, skips authentication best practices, and produces code that looks correct but fails under scrutiny. For businesses, the risk is real: code that works is not the same as code that is safe.

What We Published This Year

We have been busy building out our insights library throughout 2025, covering the topics that matter most to the businesses and developers we work with. Some highlights from our own content this year:

New Year, New Vulnerabilities - Keeping Your Stack Current kicked off the year with a reminder that the start of a new year is the perfect time to audit your dependencies.
The Hidden Cost of Ignoring Security Updates made the business case for why patching is a cost issue, not just a technical one.
Why We Build APIs First explained our development philosophy and why API-first architecture leads to better outcomes.
Our Tech Stack Explained gave a transparent look at the tools we use and why we chose them.
Security Patching is Not a One-Off Task laid out a practical approach to building patching into your workflow.
The Case for Automated Security Scanning in Your CI/CD Pipeline covered the tools and techniques for catching vulnerabilities before they reach production.

Every one of these posts was validated by the events that followed. The vulnerabilities we warned about in January were the ones making headlines in December.

Looking Ahead to 2026

2026 is shaping up to be another significant year for the web development ecosystem. Here is what we are watching:

Craft CMS 6 will enter alpha in Q1 and beta by Q3. For teams already working with Laravel, this is the year to start planning your migration strategy and getting familiar with how Craft operates as a Laravel application.

Laravel 13 is expected in Q1 2026. Given Laravel 12's focus on stability, there is reason to expect that the next major release will be more feature-rich. The ecosystem's momentum shows no signs of slowing.

Security will remain the defining challenge. The speed of exploitation we saw in 2025, where critical vulnerabilities were being weaponised within hours of disclosure, is not going to slow down. If anything, it will accelerate. Automated scanning, proactive patching, and robust CI/CD pipelines are no longer nice-to-haves. They are essential.

Infrastructure resilience will be a major theme. After a year of high-profile outages from Cloudflare, AWS, and others, we expect more businesses to invest in multi-region architectures, fallback DNS configurations, and reducing their dependency on single providers.

The Year's Lesson

If 2025 had a single lesson, it is one we have been saying all year: keeping your software updated is the single most impactful thing you can do for your application's security. It is cheaper than incident response. It is faster than disaster recovery. And it is infinitely less painful than explaining a breach to your customers.

Proactive maintenance costs hours, not headlines.

From all of us at The API Guys, thank you for reading throughout 2025. We will be back in January with more insights, more analysis, and the same commitment to building secure, well-maintained web applications.

If you are heading into 2026 with concerns about your application's security posture, your update strategy, or your technology stack, get in touch. We are always happy to talk.