salehye/laravel-security
Composer 安装命令:
composer require salehye/laravel-security
包简介
🔥 Advanced Security Package for Laravel 12 - The most comprehensive security solution for Laravel applications
关键字:
README 文档
README
🔥 Advanced Security Package for Laravel 12 - The most comprehensive security solution for Laravel applications.
Features
🛡️ Comprehensive Protection
- Input Sanitization - Automatic XSS prevention and input cleaning
- SQL Injection Protection - Advanced pattern detection and validation rules
- XSS Protection - Cross-site scripting prevention
- Path Traversal Protection - Directory traversal attack prevention
- Command Injection Protection - Shell command injection prevention
🔐 Authentication & Session Security
- Brute Force Protection - Rate-limited login attempts with progressive delays
- Two-Factor Authentication (2FA) - Built-in 2FA support
- Session Hardening - Session fixation prevention, concurrent session detection
- Suspicious Login Detection - Geographic anomaly detection, impossible travel detection
- Re-authentication - Require password for sensitive operations
🚦 Advanced Rate Limiting
- Smart Rate Limiting - IP, user, route, or combination-based limiting
- Progressive Throttling - Increasing penalties for repeat offenders
- Endpoint-specific Limits - Custom limits per route or endpoint
🔑 API Security
- Request Signing - HMAC-based request integrity verification
- Timestamp Verification - Replay attack prevention
- API Key Management - Scoped API tokens with permissions
- Nonce-based Protection - One-time request tokens
📊 Audit & Logging
- Comprehensive Audit Logs - Track all security events
- Multiple Channels - Database, Log, Slack, SIEM integration
- Real-time Alerts - Instant notifications for critical events
🌐 Security Headers
- Content Security Policy (CSP) - Configurable CSP with nonce support
- HSTS - HTTP Strict Transport Security
- X-Frame-Options - Clickjacking prevention
- X-Content-Type-Options - MIME sniffing prevention
- Referrer-Policy - Referrer information control
Installation
# Install the package composer require salehye/laravel-security # Publish configuration and migrations php artisan vendor:publish --provider="Salehye\LaravelSecurity\SecurityServiceProvider"
Configuration
After publishing, edit config/security.php to customize your security settings:
return [ // Enable/disable the entire security package 'enabled' => env('SECURITY_ENABLED', true), // Input protection settings 'input_protection' => [ 'enabled' => true, 'auto_sanitize' => true, ], // Firewall settings 'firewall' => [ 'enabled' => true, 'auto_block' => true, 'threat_threshold' => 70, ], // Rate limiting 'rate_limiting' => [ 'enabled' => true, 'progressive' => [ 'enabled' => true, 'threshold' => 3, ], ], // Security headers 'headers' => [ 'enabled' => true, 'csp' => [ 'enabled' => true, ], ], ];
Usage
Middleware
The package automatically applies security middleware when auto_protect is enabled. You can also apply middleware manually:
// In app/Http/Kernel.php or bootstrap/app.php protected $middlewareAliases = [ 'security.sanitize' => \Salehye\LaravelSecurity\Http\Middleware\SanitizeInputMiddleware::class, 'security.rate' => \Salehye\LaravelSecurity\Http\Middleware\AdvancedRateLimitMiddleware::class, 'security.headers' => \Salehye\LaravelSecurity\Http\Middleware\SecurityHeadersMiddleware::class, 'security.api' => \Salehye\LaravelSecurity\Http\Middleware\ApiKeyMiddleware::class, ];
Facade
Use the Security facade for easy access to security features:
use Salehye\LaravelSecurity\Facades\Security; // Audit logging Security::audit(auth()->user(), 'updated_settings', $request->all()); // Block an IP Security::blockIp('192.168.1.1', 'Brute force attack'); // Check if IP is blocked if (Security::isBlocked($request->ip())) { abort(403, 'Access denied'); } // Sanitize input $clean = Security::sanitize($request->all()); // Detect threats $threats = Security::detectThreats($request); if (array_filter($threats)) { Security::logThreat('multiple_detections', $threats); } // Session management Security::terminateAllOtherSessions($request);
Validation Rules
The package provides custom validation rules:
use Salehye\LaravelSecurity\Rules\NoSqlInjectionRule; use Salehye\LaravelSecurity\Rules\NoXssRule; use Salehye\LaravelSecurity\Rules\SensitiveDataRule; use Salehye\LaravelSecurity\Rules\PasswordStrengthRule; // In your Form Request public function rules(): array { return [ 'username' => ['required', 'string', new NoSqlInjectionRule()], 'comment' => ['required', 'string', new NoXssRule()], 'data' => [new SensitiveDataRule()], 'password' => ['required', new PasswordStrengthRule()], ]; }
API Protection
Sign your API requests:
use Salehye\LaravelSecurity\Facades\Security; // Generate API key $apiKey = Security::generateApiKey(); // Sign a request $signedRequest = Security::signRequest($data, $apiKey); // On the server side, verify the signature if (!Security::verifySignature($request)) { abort(401, 'Invalid signature'); }
Audit Logging
use Salehye\LaravelSecurity\Facades\Security; // Log events Security::log('user_login', auth()->user(), ['ip' => request()->ip()]); Security::logFailedLogin($email, ['ip' => request()->ip()]); Security::logSensitiveAction('password_change', auth()->user()); Security::logThreat('sql_injection', ['payload' => $request->get('search')]); // Retrieve logs $logs = Security::getLogs(event: 'login', limit: 100); // Clean old logs Security::cleanOldLogs(90); // Keep 90 days
Console Commands
# Run security audit php artisan security:audit # Block an IP php artisan security:block 192.168.1.1 --reason="Brute force" --duration=24 # Unblock an IP php artisan security:unblock 192.168.1.1 # View security report php artisan security:report # Warmup security cache php artisan security:cache:warmup # Clean old audit logs php artisan security:clean-logs --days=90
Events & Listeners
The package fires events for security-related actions:
// Events \Salehye\LaravelSecurity\Events\SuspiciousActivityDetected::class \Salehye\LaravelSecurity\Events\UserBlocked::class \Salehye\LaravelSecurity\Events\LoginAttemptFailed::class \Salehye\LaravelSecurity\Events\RateLimitExceeded::class \Salehye\LaravelSecurity\Events\SensitiveActionPerformed::class
Testing
composer test
Documentation
For detailed documentation, visit the Wiki.
Changelog
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security-related issues, please email security@example.com instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.
Laravel Package Development
This package is built following Laravel package development conventions and is compatible with Laravel 12.x and PHP 8.4+.
salehye/laravel-security 适用场景与选型建议
salehye/laravel-security 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 03 月 27 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「Authentication」 「firewall」 「laravel」 「csrf」 「xss」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 salehye/laravel-security 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 salehye/laravel-security 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 salehye/laravel-security 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
PHP Basic Firewall
Provide a way to secure accesses to all routes of an symfony application.
Laravel middleware to restrict a site or specific routes using HTTP basic authentication
It's a barebone security class written on PHP
统计信息
- 总下载量: 2
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 48
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-03-27