queopius/sentinel
Composer 安装命令:
composer require queopius/sentinel
包简介
Queopius Sentinel — HTTP Security & HTTPS Hardening for Laravel
README 文档
README
Queopius Sentinel is a production-ready Laravel package for HTTP security hardening with great DX:
- Security headers (HSTS, CSP, Referrer-Policy, and more)
- HTTPS enforcement middleware
- Optional dashboard UI for audit/inspection
- Dashboard metrics with CSP-safe native charts and hardening plan
- Optional CSP reports endpoint + storage
- Security audit, endpoint scan, and report pruning commands
- Publishable views for full UI customization
Why Queopius Sentinel
- Safe-by-default with preset support
- Progressive rollout path (CSP report-only first)
- Works as reusable package and monorepo local package
- Built for Laravel 11, 12, and 13
Versioning and Laravel compatibility
Queopius Sentinel follows SemVer for package versions.
MAJOR: breaking changesMINOR: new features, backward compatiblePATCH: fixes and internal improvements
Compatibility matrix
| Sentinel version | Laravel | PHP | Status |
|---|---|---|---|
2.x |
11.x, 12.x |
8.2, 8.3, 8.4 |
Active |
2.x |
13.x |
8.3, 8.4 |
Active |
Composer constraints (current):
illuminate/*:^11.0|^12.0|^13.0php:^8.2
Laravel 13 requires PHP ^8.3, so PHP 8.2 support applies to Laravel 11 and 12 only.
Support policy
- Only actively maintained major versions receive fixes/features.
- Security fixes are prioritized for the latest maintained major.
- When a Laravel major reaches end-of-life, support can be dropped in the next Sentinel major.
Upgrade guidance
- Use a stable constraint in host apps:
composer require queopius/sentinel:^2.0 - Read release notes before any major upgrade (
1.x->2.x). - Run:
php artisan sentinel:auditafter upgrades to validate effective runtime security.
Quick start in 5 minutes
- Install package:
composer require queopius/sentinel
- Run installer:
php artisan sentinel:install --with-views
- Migrate (for CSP reports table):
php artisan migrate
-
Add middleware aliases/global as needed (see below).
-
Run audit:
php artisan sentinel:audit
Installation and publish
php artisan vendor:publish --tag=sentinel-config php artisan vendor:publish --tag=sentinel-views php artisan vendor:publish --tag=sentinel-migrations
Middleware registration (Laravel 11/12/13)
Add aliases/global middleware in bootstrap/app.php:
->withMiddleware(function (Middleware $middleware): void { $middleware->alias([ 'sentinel.headers' => \Queopius\Sentinel\Http\Middleware\AddSecurityHeaders::class, 'sentinel.https' => \Queopius\Sentinel\Http\Middleware\EnforceHttps::class, ]); // Optional global $middleware->append(\Queopius\Sentinel\Http\Middleware\EnforceHttps::class); $middleware->append(\Queopius\Sentinel\Http\Middleware\AddSecurityHeaders::class); })
Config basics
Config file: config/sentinel.php
Key areas:
preset: baseline config (web_compatible,api_strict)headers.*: security headers setuphttps.*: redirect + force schemeui.*: optional dashboardcsp_reports.*: endpoint + DB storageaudit.*: warnings and probe behaviorhealth_endpoint.*: optional JSON endpoint
Dashboard UI
Enable in config:
'ui' => [ 'enabled' => true, 'path' => 'sentinel', 'middleware' => ['web', 'auth'], 'require_ability' => 'viewSentinelDashboard', 'theme' => 'light', // light|dark|auto ]
Then open /sentinel.
Dashboard access control (recommended)
- Keep
ui.middlewarewithauth(default in package). - Set
ui.require_abilityand define the Gate in your app:
Gate::define('viewSentinelDashboard', fn ($user) => $user->hasRole('super_admin'));
With Spatie Permission you can map it to a permission:
Gate::define('viewSentinelDashboard', fn ($user) => $user->can('sentinel.view'));
Dashboard endpoint scan extras:
- Dynamic paths filter via
scan_pathsquery/form - Export scan results:
/sentinel?export=endpoints&format=json/sentinel?export=endpoints&format=csv
CSP reports
Enable:
'csp_reports' => [ 'enabled' => true, 'route_path' => 'sentinel/csp-reports', 'store_database' => true, ]
Use report-only initially, inspect reports, then enforce.
Commands
php artisan sentinel:install [--with-views] [--force]php artisan sentinel:audit [--format=table|json|csv]php artisan sentinel:scan [--json] [--paths=/,/login,/api]php artisan sentinel:prune-reports [--days=30]
Recommended rollout path (safe adoption)
- Start with preset
web_compatible - Keep CSP in
report_only - Observe dashboard + reports
- Tighten CSP directives and remove
unsafe-inline - Enable HTTPS redirect and HSTS in production
Reverse proxy notes
If app is behind Cloudflare / ALB / Nginx proxy, ensure Laravel trusted proxies are correctly configured so Request::isSecure() is reliable.
Local HTTPS test (production-like)
For monorepo host apps:
./scripts/generate-local-https-cert.sh ./vendor/bin/sail up -d --build
Set in host .env:
APP_URL=https://your-app.test:8443
Then run:
./vendor/bin/sail artisan optimize:clear
Open:
https://your-app.test:8443https://your-app.test:8443/sentinel
Full trust instructions are in docs/guides/local-https.md.
Publishable views
Views namespace: sentinel.
You can override UI templates by publishing views:
php artisan vendor:publish --tag=sentinel-views
Output path: resources/views/vendor/sentinel
Local development in a Laravel app (monorepo)
Host app composer.json:
{
"repositories": [
{
"type": "path",
"url": "packages/queopius/sentinel",
"options": {
"symlink": true
}
}
],
"require": {
"queopius/sentinel": "^2.0"
}
}
Then:
composer require queopius/sentinel:^2.0 php artisan sentinel:install --with-views php artisan migrate php artisan sentinel:audit php artisan sentinel:scan
Package tests
Inside package directory:
composer install vendor/bin/phpunit vendor/bin/pint --test vendor/bin/phpstan analyse
Docs
See docs/ for architecture, config reference, CSP reporting, dashboard and roadmap.
Release-hardening checklist: docs/production-readiness.md.
Community and governance
- Contribution guide:
CONTRIBUTING.md - Security policy:
SECURITY.md - Release + Packagist automation:
docs/guides/release-and-packagist.md
Licensing
- Code: MIT (see
LICENSE). - Documentation and guides: Creative Commons Attribution 4.0 International (CC BY 4.0).
Read the Docs
This package includes:
.readthedocs.yamlmkdocs.ymldocs/requirements.txt
Local docs preview:
cd packages/queopius/sentinel python3 -m venv .venv source .venv/bin/activate pip install -r docs/requirements.txt mkdocs serve
Local strict build:
mkdocs build --strict
GitHub Actions docs workflow:
- validates docs on PR/push via
mkdocs build --strict - optional Read the Docs trigger on push to
main
Required repository secrets for RTD trigger:
RTD_TOKEN: Read the Docs API tokenRTD_PROJECT: Read the Docs project slug (example:queopiussentinel)
Branding and badges notes
- Logo placeholder path in this README:
.github/assets/logo-queopius-sentinel.png
- If repository owner/name changes, update badge URLs accordingly.
- If Read the Docs project slug changes, update:
https://readthedocs.org/projects/<slug>/badge/?version=latest
queopius/sentinel 适用场景与选型建议
queopius/sentinel 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 05 月 14 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「https」 「headers」 「laravel」 「csp」 「hsts」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 queopius/sentinel 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 queopius/sentinel 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 queopius/sentinel 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Permissions-Policy (Feature-Policy) header builder and middleware for Laravel
A Laravel artisan based package to create the AWS (SES + SNS) infrastructure to receive email event notifications with Http/Https endpoint.
Provide a way to secure accesses to all routes of an symfony application.
PHP polyfill for the Apache Functions. The aim is to provides functions as the PHP way in order to get them available even if PHP is not running as an Apache module.
URL routing framework and requests/responses handler for PHP
Helper bundle, configure the request headers from a given base URL.
统计信息
- 总下载量: 1
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 67
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-05-14
