PHPackages amreljako/secure-core - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. amreljako/secure-core ActiveLibrary[Security](/categories/security) amreljako/secure-core ===================== Advanced Security Hardener for Laravel Applications v1.0.5(3w ago)117MITPHPPHP ^8.0 Since May 14Pushed 3w agoCompare [ Source](https://github.com/amreljako/secure-core)[ Packagist](https://packagist.org/packages/amreljako/secure-core)[ RSS](/packages/amreljako-secure-core/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (2)Versions (7)Used By (0) SecureCore for Laravel ====================== [](#securecore-for-laravel) SecureCore is an advanced security hardening framework designed for Laravel applications. It provides a multi-layered defense strategy to protect sensitive data, mitigate API vulnerabilities (like BOLA), and prevent automated infrastructure scanning through intelligent intrusion detection. --- Installation ------------ [](#installation) Install the package via composer: ``` composer require amreljako/secure-core ``` Publish the configuration file: ``` php artisan vendor:publish --tag="secure-core-config" ``` --- Key Features & Implementation --------------------------------- [](#key-features--implementation) ### 1. Transparent Database Encryption [](#1-transparent-database-encryption) Protect PII (Personally Identifiable Information) by encrypting model attributes at rest. SecureCore automatically handles encryption/decryption and includes safety checks to prevent errors with legacy non-encrypted data. ### Usage: [](#usage) Add the `HasSecureAttributes` trait to your model and define the `$encryptable` array. ``` namespace App\Models; use Illuminate\Database\Eloquent\Model; use Amreljako\SecureCore\Traits\HasSecureAttributes; class User extends Model { use HasSecureAttributes; protected $encryptable = [ 'phone_number', 'national_id', ]; } ``` ### 2. Auto-BOLA Protection (ID Obfuscation) [](#2-auto-bola-protection-id-obfuscation) Mitigates Broken Object Level Authorization (BOLA) by masking internal Database IDs using Hashids. This prevents attackers from guessing or enumerating resource IDs (e.g., changing `/api/orders/1` to `/api/orders/vj8k2p`). ### Usage: [](#usage-1) Apply the `SecureResource` trait to your model. ``` namespace App\Models; use Amreljako\SecureCore\Traits\SecureResource; class Order extends Model { use SecureResource; } ``` ### Important: Generating Secure URLs [](#important-generating-secure-urls) To ensure the ID is obfuscated in your routes, you must pass the entire model instance to the `route()` helper. If you pass the ID explicitly, Laravel will bypass the secure encoding. ### Incorrect (Exposes the raw ID): [](#incorrect-exposes-the-raw-id) ``` View Product ``` ### Correct (Generates secure Hashid): [](#correct-generates-secure-hashid) ``` View Product ``` **Security Note:** By passing the model instance, Laravel automatically calls the getRouteKey() method provided by our trait, ensuring that only the secure hash is exposed to the end-user. ### 3. API Request Signature Verification [](#3-api-request-signature-verification) Ensures data integrity for sensitive endpoints. This requires an `X-Secure-Signature` header, which is an HMAC-SHA256 hash of the payload using the `APP_KEY`. ### Implementation: [](#implementation) ``` // Apply to sensitive routes in routes/api.php Route::middleware(['secure.signature'])->group(function () { Route::post('/v1/payments', [PaymentController::class, 'process']); }); ``` ### 4. Automated Production Shield [](#4-automated-production-shield) When `APP_ENV` is set to `production`, SecureCore enforces strict security defaults: - **Forced Debug Disable:** Overrides `APP_DEBUG` to `false`. - **Environment Scrubbing:** Masks sensitive ENV variables in logs and error reports. - **Server Masking:** Strips `X-Powered-By` and `Server` headers to reduce information exposure. ### Security Headers (Automatic) [](#security-headers-automatic) The following headers are injected into every response to enforce browser-level security: - **Strict-Transport-Security:** max-age=31536000; includeSubDomains - **Content-Security-Policy:** upgrade-insecure-requests - **X-Frame-Options:** SAMEORIGIN - **X-Content-Type-Options:** nosniff - **X-XSS-Protection:** 1; mode=block ### Configuration Summary [](#configuration-summary) The package behavior can be fine-tuned via `config/secure-core.php`. Environment variables available: ``` SECURE_CORE_ENCRYPTION=true SECURE_CORE_SIGNATURE_CHECK=true SECURE_CORE_HONEYPOT=true ``` --- License ------- [](#license) The MIT License (MIT). Please see the License File for more information. Developed by Amr Elsayed () ### Health Score 40 — FairBetter than 86% of packages Maintenance94 Actively maintained with recent releases Popularity10 Limited adoption so far Community6 Small or concentrated contributor base Maturity43 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 6 Last Release 26d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/101364453?v=4)[Amr Elsayed](/maintainers/amreljako)[@amreljako](https://github.com/amreljako) --- Top Contributors [![amreljako](https://avatars.githubusercontent.com/u/101364453?v=4)](https://github.com/amreljako "amreljako (8 commits)") ### Embed Badge ![Health badge](/badges/amreljako-secure-core/health.svg) ``` [![Health](https://phpackages.com/badges/amreljako-secure-core/health.svg)](https://phpackages.com/packages/amreljako-secure-core) ``` ### Alternatives [illuminate/encryption The Illuminate Encryption package. 9630.4M307](/packages/illuminate-encryption) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)