PHPackages artisanpack-ui/secure-uploads - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. artisanpack-ui/secure-uploads ActiveLibrary[Validation & Sanitization](/categories/validation) artisanpack-ui/secure-uploads ============================= File upload security for Laravel — content-type validation, filename sanitization, malware scanning (ClamAV / VirusTotal), rate limiting, secure storage, and quarantine. 1.0.0(3w ago)04[1 issues](https://github.com/ArtisanPack-UI/secure-uploads/issues)1MITPHPPHP ^8.2 Since May 19Pushed 3w agoCompare [ Source](https://github.com/ArtisanPack-UI/secure-uploads)[ Packagist](https://packagist.org/packages/artisanpack-ui/secure-uploads)[ RSS](/packages/artisanpack-ui-secure-uploads/feed)WikiDiscussions main Synced 1w ago READMEChangelog (1)Dependencies (11)Versions (2)Used By (1) ArtisanPack UI — Secure Uploads =============================== [](#artisanpack-ui--secure-uploads) File upload security for Laravel: content-type validation with magic-byte sniffing, filename sanitization, pluggable malware scanning (ClamAV / VirusTotal), secure signed-URL storage, upload rate limiting, and quarantine workflows. This package is part of the **ArtisanPack UI Security 2.0** split — the upload-focused features previously bundled inside `artisanpack-ui/security` (1.x) live here in 2.0+. Features -------- [](#features) - **File validation pipeline** (`FileValidationService`) — MIME sniffing against actual file content, magic-byte verification, extension allowlists / blocklists, per-type and absolute size limits, double-extension and null-byte trick detection, EXIF stripping for images - **Validation rules** — `SafeFilename`, `SecureFile` (drop-in `Rule` classes for Form Requests) - **Pluggable malware scanning** — `ClamAvScanner` (Unix socket or binary), `VirusTotalScanner` (API + by-hash short-circuit), `NullScanner` (dev / CI default) - **Secure storage** (`SecureFileStorageService`) — files stored outside the public root, served only via signed URLs through the bundled `SecureFileController` - **Quarantine workflow** — files flagged by async scanning live in a quarantine area until cleared by `security:scan-quarantine` - **Upload rate limiting** (`FileUploadRateLimiter`) - **Middleware** — `validate.upload`, `scan.upload` - **Eloquent concern** — `HasSecureFiles` adds `attachSecureFile`, `secureImages`, `secureDocuments`, etc. to any model that owns uploaded files - **Events** — `FileUploaded`, `FileUploadRejected`, `FileServed`, `MalwareDetected` (subscribed to by `artisanpack-ui/security-analytics` for audit trail) - **Artisan commands** — `security:cleanup-files`, `security:scan-quarantine` Installation ------------ [](#installation) ``` composer require artisanpack-ui/secure-uploads php artisan migrate ``` (Optional) Publish the config: ``` php artisan vendor:publish --tag=secure-uploads-config ``` Quick start ----------- [](#quick-start) ``` use ArtisanPackUI\SecureUploads\Concerns\HasSecureFiles; class Post extends Model { use HasSecureFiles; } ``` ``` $post = Post::find(1); $stored = $post->attachSecureFile($request->file('attachment')); return redirect()->route('secure-file.show', ['identifier' => $stored->identifier]); ``` The `attachSecureFile()` call runs validation, optionally scans for malware, sanitizes the filename, and stores the file behind a signed URL. Configuration ------------- [](#configuration) The shipped config covers MIME / extension allow- and block-lists, size limits, EXIF stripping, scanner driver selection (`null` / `clamav` / `virustotal`), and rate limiting. Override any of it after publishing: ``` php artisan vendor:publish --tag=secure-uploads-config ``` See `config/artisanpack/secure-uploads.php` for the full list with inline documentation. Documentation ------------- [](#documentation) - [Documentation home](docs/home.md) — overview + map - [Getting started](docs/getting-started.md) — 5-minute install + first upload - [Installation](docs/installation.md) — requirements, configuration, scanner setup - [Usage](docs/usage.md) — validation, malware scanning, storage, signed URLs, events, commands - [Advanced](docs/advanced.md) — extending validators, custom scanners, quarantine workflow - [FAQ](docs/faq.md) - [Troubleshooting](docs/troubleshooting.md) - [Changelog](CHANGELOG.md) Requirements ------------ [](#requirements) - PHP 8.2+ - Laravel 10 / 11 / 12 - `ext-fileinfo` (bundled with PHP) for MIME detection - ClamAV daemon **or** binary (optional, only if using the ClamAV scanner) - VirusTotal API key (optional, only if using the VirusTotal scanner) Sibling packages ---------------- [](#sibling-packages) PackageScope[`artisanpack-ui/security-full`](https://github.com/ArtisanPack-UI/security-full)Meta-package — pulls in the full security suite (all six packages below) in a single require[`artisanpack-ui/security`](https://github.com/ArtisanPack-UI/security)Core: input sanitization, output escaping, KSES, CSP, security headers[`artisanpack-ui/security-auth`](https://github.com/ArtisanPack-UI/security-auth)2FA, password complexity, account lockout, sessions[`artisanpack-ui/security-advanced-auth`](https://github.com/ArtisanPack-UI/security-advanced-auth)WebAuthn, SSO, social login, biometric, device fingerprinting[`artisanpack-ui/rbac`](https://github.com/ArtisanPack-UI/rbac)Roles, permissions, hierarchy, Blade directives, Gate integration[`artisanpack-ui/security-analytics`](https://github.com/ArtisanPack-UI/security-analytics)Event logging, anomaly detection, SIEM, dashboards[`artisanpack-ui/compliance`](https://github.com/ArtisanPack-UI/compliance)GDPR / CCPA / LGPD compliance toolsLicense ------- [](#license) MIT — see [LICENSE](LICENSE). Contributing ------------ [](#contributing) Please read the [contributing guidelines](CONTRIBUTING.md) before opening an issue or PR. ### Health Score 40 — FairBetter than 86% of packages Maintenance95 Actively maintained with recent releases Popularity5 Limited adoption so far Community8 Small or concentrated contributor base Maturity46 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 21d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/ba2a2c40c9a93470595cd10701d2291434f3a7db61862d9700a9e69e31608c6c?d=identicon)[JacobMartellaWebDesign](/maintainers/JacobMartellaWebDesign) --- Top Contributors [![ViewFromTheBox](https://avatars.githubusercontent.com/u/8247489?v=4)](https://github.com/ViewFromTheBox "ViewFromTheBox (23 commits)") --- Tags laravelvalidationsecurityfilesclamavuploadsantivirusvirustotalmalware ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/artisanpack-ui-secure-uploads/health.svg) ``` [![Health](https://phpackages.com/badges/artisanpack-ui-secure-uploads/health.svg)](https://phpackages.com/packages/artisanpack-ui-secure-uploads) ``` ### Alternatives [sunspikes/clamav-validator Custom Laravel anti-virus validator for file uploads using ClamAV. 3712.0M5](/packages/sunspikes-clamav-validator)[illuminate/validation The Illuminate Validation package. 18837.7M1.6k](/packages/illuminate-validation)[wendelladriel/laravel-validated-dto Data Transfer Objects with validation for Laravel applications 762621.7k17](/packages/wendelladriel-laravel-validated-dto)[laravel-validation-rules/credit-card Validate credit card number, expiration date, cvc 2462.3M6](/packages/laravel-validation-rules-credit-card)[olssonm/l5-zxcvbn Implementation of the zxcvbn project by @dropbox for Laravel. Uses zxcvbn-php by @bjeavons. 29325.4k1](/packages/olssonm-l5-zxcvbn)[romegasoftware/laravel-schema-generator Generate TypeScript Zod validation schemas from Laravel validation rules 3015.3k](/packages/romegasoftware-laravel-schema-generator) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)