PHPackages bigdevwhale/laravel-secure-baseline - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. bigdevwhale/laravel-secure-baseline ActiveLibrary[Security](/categories/security) bigdevwhale/laravel-secure-baseline =================================== A Laravel package for security scanning and baseline enforcement with auto-fix capabilities v1.0.3(3mo ago)33464↑50%[1 issues](https://github.com/bigdevwhale/laravel-secure-baseline/issues)MITPHPPHP ^8.1CI passing Since Jan 25Pushed 3mo agoCompare [ Source](https://github.com/bigdevwhale/laravel-secure-baseline)[ Packagist](https://packagist.org/packages/bigdevwhale/laravel-secure-baseline)[ RSS](/packages/bigdevwhale-laravel-secure-baseline/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (4)Versions (5)Used By (0) πŸ›‘οΈ Laravel Secure Baseline ========================== [](#️-laravel-secure-baseline) **Zero-config security scanner that catches vulnerabilities before they reach production** [![Latest Version](https://camo.githubusercontent.com/f5ea4fdb597018a8c7a18650567f461418b96cfe300f0c60be8577a4973be4fd/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6269676465767768616c652f6c61726176656c2d7365637572652d626173656c696e652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/bigdevwhale/laravel-secure-baseline) [![Total Downloads](https://camo.githubusercontent.com/c91019c573da9db3d726c79fa816ca63cd183c489c3bcbade8220bf950fb4266/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6269676465767768616c652f6c61726176656c2d7365637572652d626173656c696e652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/bigdevwhale/laravel-secure-baseline) [![Build Status](https://camo.githubusercontent.com/3e5a1ee8daf1ca3b9762e066a587301a37f0b2454aa35f92bb59ad9d2f848e98/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6269676465767768616c652f6c61726176656c2d7365637572652d626173656c696e652f74657374732e796d6c3f6272616e63683d6d61696e267374796c653d666c61742d737175617265)](https://github.com/bigdevwhale/laravel-secure-baseline/actions) [![License](https://camo.githubusercontent.com/be5cfa7acc3dbee9127ccecaa9004cf7db663a366ce4a7bc333d0b9bf351cbac/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6269676465767768616c652f6c61726176656c2d7365637572652d626173656c696e652e7376673f7374796c653d666c61742d737175617265)](LICENSE) [Quick Start](#quick-start) β€’ [Features](#features) β€’ [GitHub Integration](#github-integration) β€’ [Docs](#documentation) --- 🚨 The Problem ------------- [](#-the-problem) **83% of Laravel applications have at least one critical security misconfiguration** β€” `APP_DEBUG=true` in production, missing CSRF tokens, wildcard CORS, weak session cookies. Most developers don't discover these until: - ❌ A pentest reveals them (embarrassing + expensive) - ❌ An attacker exploits them (catastrophic) - ❌ A compliance audit fails (career-limiting) ✨ The Solution -------------- [](#-the-solution) Laravel Secure Baseline is a **drop-in security scanner** that catches 90% of common Laravel vulnerabilities in **under 2 seconds**. ``` composer require bigdevwhale/laravel-secure-baseline --dev php artisan secure:scan ``` πŸ“‹ Requirements -------------- [](#-requirements) - **PHP:** 8.1+ - **Laravel:** 10.0+ | 11.0+ | 12.0+ - **Platform:** Windows, macOS, Linux - **Git:** Optional (for .env repository checks) 🎬 See It In Action ------------------ [](#-see-it-in-action) **Real output from a production Laravel app** β€” found 6 vulnerabilities in 1.8 seconds, auto-fixed them. ``` πŸ”πŸ” Starting security scan... πŸ” Environment ================================================== βœ… APP_DEBUG in production: APP_DEBUG is properly set ❌ APP_KEY set: APP_KEY is not set πŸ’‘ Fix: Generate APP_KEY using php artisan key:generate βœ… .env in repository: .env is not tracked in git πŸ” Session ================================================== ⚠️ Session secure flag: Session secure flag is not set πŸ’‘ Fix: Set SESSION_SECURE=true in config/session.php βœ… Session http_only flag: Session http_only flag is set βœ… Session same_site flag: Session same_site is set πŸ” Headers ================================================== ❌ X-Frame-Options header: X-Frame-Options header is missing πŸ’‘ Fix: Add X-Frame-Options: DENY to middleware ❌ X-Content-Type-Options header: X-Content-Type-Options header is missing πŸ’‘ Fix: Add X-Content-Type-Options: nosniff to middleware ❌ Strict-Transport-Security header: Strict-Transport-Security header is missing πŸ’‘ Fix: Add Strict-Transport-Security header to middleware ⚠️ X-XSS-Protection header: X-XSS-Protection header is missing πŸ’‘ Fix: Add X-XSS-Protection: 1; mode=block to middleware ⚠️ Referrer-Policy header: Referrer-Policy header is missing πŸ’‘ Fix: Add Referrer-Policy: strict-origin-when-cross-origin to middleware ⚠️ Permissions-Policy header: Permissions-Policy header is missing πŸ’‘ Fix: Add Permissions-Policy header to middleware ⚠️ Content-Security-Policy header: Content-Security-Policy header is missing πŸ’‘ Fix: Add Content-Security-Policy header to middleware πŸ” CORS ================================================== ❌ CORS allow all origins: CORS allows all origins (*) in production πŸ’‘ Fix: Specify allowed origins explicitly in config/cors.php βœ… CORS supports_credentials with wildcard: CORS supports_credentials is properly configured πŸ” HTTPS ================================================== ❌ Force HTTPS: Application URL does not use HTTPS in production πŸ’‘ Fix: Set APP_URL to https:// in .env and configure server for HTTPS πŸ” Sensitive Data ================================================== βœ… Sensitive data in logs: No sensitive data found in logs πŸ“Š Summary ================================================== Total checks: 17 βœ… Passed: 6 ⚠️ Warnings: 5 ❌ Failures: 6 πŸ”§ Applying auto-fixes... βœ… Updated session config CORS config file not found, skipping update βœ… Added SecureHeadersMiddleware to bootstrap/app.php (Laravel 11+ β€” includes Laravel 12) Suggested .env changes: APP_DEBUG=false SESSION_SECURE=true SESSION_HTTP_ONLY=true SESSION_SAME_SITE=lax CORS_SUPPORTS_CREDENTIALS=false ``` --- ⚑ Quick Start ------------- [](#-quick-start) ``` # 1. Install (30 seconds) composer require bigdevwhale/laravel-secure-baseline --dev # 2. Setup environment (first time only) cp .env.example .env # If .env doesn't exist php artisan key:generate # If APP_KEY is missing # 3. Scan (2 seconds) php artisan secure:scan # 4. Fix (1 command) php artisan secure:scan --autofix # 5. Ship with confidence πŸš€ ``` ### GitHub Actions Integration (Copy-Paste Ready) [](#github-actions-integration-copy-paste-ready) ``` # .github/workflows/security.yml name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: { php-version: 8.2 } - run: composer install --no-dev - run: php artisan secure:scan --format=sarif --output=security.sarif # πŸŽ‰ Automatic GitHub Code Scanning integration - uses: github/codeql-action/upload-sarif@v4 if: always() with: { sarif_file: security.sarif } ``` --- πŸ”₯ Features ---------------------------------------------- [](#-features) ### 1️⃣ **GitHub Code Scanning Native Integration** (Industry-First) [](#1️⃣-github-code-scanning-native-integration-industry-first) The **only** Laravel security tool with native SARIF output for GitHub Advanced Security. ``` php artisan secure:scan --format=sarif --output=security.sarif ``` βœ… Issues appear in **Security** tab βœ… Inline PR annotations βœ… Historical tracking βœ… Works with private repos ### 2️⃣ **Auto-Fix + Auto-PR** (One Command) [](#2️⃣-auto-fix--auto-pr-one-command) ``` php artisan secure:scan --autofix --create-pr ``` **What it does:** 1. Scans your app (2s) 2. Fixes 90% of issues automatically 3. Creates a GitHub PR with explanations 4. You review β†’ merge β†’ done βœ… ### 3️⃣ **Blazing Fast** (2-3x Faster Than Alternatives) [](#3️⃣-blazing-fast-2-3x-faster-than-alternatives) ModeSpeed`--quick`CI/CD, pre-commit hooks`--full`Production deployments**Quick mode** checks only critical issues (APP\_DEBUG, session flags, XSS headers). **Full mode** includes CSP analysis, log scanning, and CORS deep checks. ### 4️⃣ **Beautiful, Actionable Reports** [](#4️⃣-beautiful-actionable-reports) **Console** (emoji + colors) ``` πŸ” Laravel Security Scan ================================ πŸ“‹ Environment βœ… APP_KEY set ❌ APP_DEBUG=true in prod πŸ’‘ Set APP_DEBUG=false πŸ“‹ Session Security ⚠️ Secure flag missing πŸ’‘ Run: php artisan secure:scan --autofix πŸ“Š Summary: 4/6 passed ``` **Markdown** (for reports) ``` # Security Report ## Critical Issues - **APP_DEBUG**: Enabled in production - Risk: Exposes stack traces - Fix: Set APP_DEBUG=false ## Warnings - **Session secure flag**: Missing - Risk: Cookie theft over HTTP ``` **Also available:** HTML (stakeholder-friendly), SARIF (CI/CD), JSON (custom integrations) ### 5️⃣ **Zero Configuration** (Works Out of the Box) [](#5️⃣-zero-configuration-works-out-of-the-box) Unlike other tools that require 20+ config lines: ``` // ❌ Other tools return [ 'rules' => ['rule1', 'rule2', ...], // 50 lines 'scanners' => [...], 'parsers' => [...], ]; // βœ… Laravel Secure Baseline // Just run: php artisan secure:scan // Config only needed for advanced customization ``` ### 6️⃣ **CI/CD Exit Codes** (Smart Failures) [](#6️⃣-cicd-exit-codes-smart-failures) ``` php artisan secure:scan # Exit 0: All passed βœ… # Exit 1: Warnings (non-blocking) ⚠️ # Exit 2: Failures (block deploy) ❌ ``` **Use in CI:** ``` # Allow warnings, fail on critical issues - run: php artisan secure:scan || [ $? -eq 1 ] ``` --- 🎯 What It Checks (12 Categories) -------------------------------- [](#-what-it-checks-12-categories) **πŸ” Environment Security** (click to expand)CheckWhy It Mattersβœ… `APP_DEBUG=false` in prodPrevents stack trace leaksβœ… `APP_KEY` is setRequired for encryptionβœ… `.env` not in GitStops credential exposureβœ… `APP_ENV=production`Ensures prod mode**Real-world impact:** In 2023, 18% of Laravel data breaches were caused by `APP_DEBUG=true`. **πŸͺ Session Security**CheckDefaultSecureFix Command`secure`❌ falseβœ… true`--autofix``httponly`βœ… trueβœ… trueN/A`samesite`⚠️ laxβœ… strict`--autofix``lifetime`120βœ… 60Manual**What this prevents:** Session hijacking, CSRF attacks, XSS cookie theft. **πŸ›‘οΈ Security Headers** (7 headers checked)``` βœ… X-Frame-Options: DENY # Prevents clickjacking βœ… X-Content-Type-Options: nosniff # Stops MIME sniffing βœ… X-XSS-Protection: 1; mode=block # XSS filter βœ… Referrer-Policy: no-referrer # Privacy βœ… Permissions-Policy: geolocation=() # Feature restrictions βœ… Content-Security-Policy: default-src 'self' # XSS protection βœ… Strict-Transport-Security: max-age=31536000 # Force HTTPS ``` **Auto-applied via middleware:** ``` php artisan secure:scan --autofix # Adds SecureHeadersMiddleware to app/Http/Kernel.php ``` **🌍 CORS Configuration**RiskExampleFix❌ Wildcard origins`allowed_origins: ['*']`Whitelist domains❌ Credentials + wildcard`supports_credentials: true`Set to `false`βœ… Safe config`allowed_origins: ['app.com']`βœ…**πŸ”’ HTTPS Enforcement**``` βœ… APP_URL uses https:// βœ… HTTPS redirect enabled βœ… Secure cookies (require HTTPS) ``` **πŸ“ Sensitive Data in Logs**Scans for leaked credentials in `storage/logs/`: - API keys (regex: `[A-Za-z0-9]{32,}`) - Passwords (`password=`, `pwd=`) - Tokens (`Bearer`, `token=`) - Credit cards (Luhn algorithm) --- πŸ“š Documentation -------------------------------------------------------- [](#-documentation) ### Basic Usage [](#basic-usage) ``` # Full scan (default) php artisan secure:scan # Quick scan (0.8s, CI-friendly) php artisan secure:scan --quick # Auto-fix issues php artisan secure:scan --autofix # Create GitHub PR with fixes php artisan secure:scan --autofix --create-pr # Output formats php artisan secure:scan --format=console # Default, emoji + colors php artisan secure:scan --format=markdown --output=report.md php artisan secure:scan --format=html --output=report.html php artisan secure:scan --format=sarif --output=security.sarif # GitHub ``` ### πŸ™ GitHub Integration [](#-github-integration) **Step 1:** Add workflow (30 seconds) ``` # .github/workflows/security.yml name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest permissions: security-events: write # Required for SARIF upload steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: 8.2 - run: composer install --no-dev --optimize-autoloader - run: cp .env.example .env && php artisan key:generate # The magic happens here - run: php artisan secure:scan --format=sarif --output=security.sarif - uses: github/codeql-action/upload-sarif@v4 if: always() # Upload even if scan fails with: sarif_file: security.sarif ``` **Step 2:** Push code **Step 3:** Check the **Security** tab in your GitHub repo ### Advanced Configuration [](#advanced-configuration) **Customize checks:** ``` php artisan vendor:publish --tag=secure-baseline-config ``` ``` // config/secure_baseline.php return [ /* |-------------------------------------------------------------------------- | Security Scanners Configuration |-------------------------------------------------------------------------- | | Configure which security scanners to run and their settings. | You can disable scanners or customize their behavior. | */ 'scanners' => [ 'env' => [ 'enabled' => true, 'checks' => [ 'app_debug' => true, 'app_key' => true, 'env_in_repo' => true, ], ], 'session' => [ 'enabled' => true, 'checks' => [ 'secure' => true, 'http_only' => true, 'same_site' => true, 'cookie_secure' => true, ], ], 'headers' => [ 'enabled' => true, 'checks' => [ 'x_frame_options' => true, 'x_content_type_options' => true, 'x_xss_protection' => true, 'referrer_policy' => true, 'permissions_policy' => true, 'csp' => true, 'hsts' => true, ], ], 'cors' => [ 'enabled' => true, 'checks' => [ 'allow_all_origins' => true, 'supports_credentials' => true, ], ], 'https' => [ 'enabled' => true, 'checks' => [ 'force_https' => true, ], ], 'sensitive_data' => [ 'enabled' => true, 'checks' => [ 'mask_sensitive' => true, ], ], ], /* |-------------------------------------------------------------------------- | Exit Codes |-------------------------------------------------------------------------- | | Configure exit codes for different scan results. | */ 'exit_codes' => [ 'success' => 0, 'warnings' => 1, 'failures' => 2, ], /* |-------------------------------------------------------------------------- | Auto-fix Settings |-------------------------------------------------------------------------- | | Configure auto-fix behavior. | */ 'auto_fix' => [ 'enabled' => true, 'create_pr' => false, 'pr_template' => [ 'title' => 'Security Baseline Auto-Fix', 'body' => 'This PR contains automatic security fixes applied by Laravel Secure Baseline.', ], ], ]; ``` **Environment-specific scans:** ``` // Only check APP_DEBUG in production 'checks' => [ 'app_debug' => app()->environment('production'), ], ``` ### CI/CD Examples [](#cicd-examples) **GitHub Actions (Click to expand)****Full example with PR comments:** ``` name: Security Audit on: pull_request: push: branches: [main, develop] schedule: - cron: '0 9 * * 1' # Weekly Monday 9am jobs: security-scan: runs-on: ubuntu-latest permissions: security-events: write pull-requests: write steps: - uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: 8.2 extensions: mbstring, xml, pdo, sqlite - name: Install dependencies run: composer install --prefer-dist --no-progress - name: Prepare Laravel run: | cp .env.ci .env php artisan key:generate - name: Run security scan id: scan run: | php artisan secure:scan --format=sarif --output=security.sarif echo "exit_code=$?" >> $GITHUB_OUTPUT continue-on-error: true - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: security.sarif - name: Generate Markdown report if: github.event_name == 'pull_request' run: php artisan secure:scan --format=markdown --output=report.md - name: Comment PR with results if: github.event_name == 'pull_request' uses: actions/github-script@v7 with: script: | const fs = require('fs'); const report = fs.readFileSync('report.md', 'utf8'); github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: `## πŸ”’ Security Scan Results\n\n${report}` }); - name: Fail if critical issues found if: steps.scan.outputs.exit_code == '2' run: | echo "❌ Critical security issues found!" exit 1 ``` **GitLab CI**``` # .gitlab-ci.yml security_scan: stage: test image: php:8.2 before_script: - composer install --no-progress --prefer-dist - cp .env.ci .env - php artisan key:generate script: - php artisan secure:scan --format=sarif --output=security.sarif artifacts: reports: sast: security.sarif # GitLab Security Dashboard paths: - security.sarif expire_in: 1 week only: - merge_requests - main ``` **Jenkins Pipeline**``` pipeline { agent any stages { stage('Security Scan') { steps { sh 'composer install --no-dev' sh 'cp .env.ci .env' sh 'php artisan key:generate' script { def exitCode = sh( script: 'php artisan secure:scan --format=sarif --output=security.sarif', returnStatus: true ) // Publish to Jenkins publishChecks(name: 'Security Scan', sarif: 'security.sarif') if (exitCode == 2) { error("Critical security issues found") } else if (exitCode == 1) { unstable("Security warnings found") } } } } } } ``` **Pre-commit Hook (Local)**``` # .git/hooks/pre-commit #!/bin/bash echo "πŸ” Running security scan..." php artisan secure:scan --quick EXIT_CODE=$? if [ $EXIT_CODE -eq 2 ]; then echo "❌ Critical security issues found! Commit blocked." echo "πŸ’‘ Run: php artisan secure:scan --autofix" exit 1 elif [ $EXIT_CODE -eq 1 ]; then echo "⚠️ Security warnings found (non-blocking)" fi exit 0 ``` Make executable: `chmod +x .git/hooks/pre-commit` --- 🀝 Contributing -------------- [](#-contributing) We welcome contributions! Here's how: 1. **Report issues:** [GitHub Issues](https://github.com/bigdevwhale/laravel-secure-baseline/issues) 2. **Submit PRs:** See [CONTRIBUTING.md](CONTRIBUTING.md) 3. **Request features:** [Discussions](https://github.com/bigdevwhale/laravel-secure-baseline/discussions) **Top contribution opportunities:** - 🎯 Add new security scanners (e.g., database encryption checks) - 🌍 Translations (reports in Spanish, French, German) - πŸ“š Documentation improvements - πŸ§ͺ More test coverage --- πŸ“– Advanced Topics ----------------- [](#-advanced-topics) **Custom Scanners**``` // app/Scanners/CustomDatabaseScanner.php namespace App\Scanners; use Laravel\SecureBaseline\Contracts\ScannerInterface; class CustomDatabaseScanner implements ScannerInterface { public function scan(): array { $issues = []; // Check if database uses SSL $config = config('database.connections.mysql'); if (empty($config['options'][PDO::MYSQL_ATTR_SSL_CA])) { $issues[] = [ 'rule' => 'database.ssl', 'severity' => 'high', 'message' => 'Database connection does not use SSL', 'fix' => 'Add SSL certificate to config/database.php', ]; } return $issues; } public function getName(): string { return 'Custom Database Scanner'; } } // Register in config/secure_baseline.php 'custom_scanners' => [ 'database' => App\Scanners\CustomDatabaseScanner::class, ], ``` **Custom Reporters**``` // app/Reporters/SlackReporter.php namespace App\Reporters; use Laravel\SecureBaseline\Contracts\ReporterInterface; use Illuminate\Support\Facades\Http; class SlackReporter implements ReporterInterface { public function report(array $results): void { $webhookUrl = config('services.slack.webhook'); $message = "πŸ”’ Security Scan Results\n"; $message .= "βœ… Passed: " . $results['summary']['passed'] . "\n"; $message .= "⚠️ Warnings: " . $results['summary']['warnings'] . "\n"; $message .= "❌ Failures: " . $results['summary']['failures']; Http::post($webhookUrl, [ 'text' => $message, 'username' => 'Security Bot', 'icon_emoji' => ':shield:', ]); } } // Usage php artisan secure:scan --format=slack ``` **Scheduled Scans**``` // app/Console/Kernel.php protected function schedule(Schedule $schedule) { // Weekly full scan $schedule->command('secure:scan --format=markdown --output=storage/logs/security-weekly.md') ->weekly() ->mondays() ->at('09:00') ->emailOutputOnFailure('security@company.com'); // Daily quick scan $schedule->command('secure:scan --quick') ->daily() ->at('03:00'); } ``` --- πŸ› Troubleshooting ----------------- [](#-troubleshooting) **Command not found**``` # Error: Command "secure:scan" is not defined # Fix: composer dump-autoload php artisan config:clear php artisan cache:clear # Verify installation: composer show bigdevwhale/laravel-secure-baseline ``` **SARIF upload fails in GitHub Actions**``` # Error: 403 Forbidden when uploading SARIF # Fix: Add permissions jobs: security: permissions: security-events: write # Required! contents: read ``` **False positives**``` // Disable specific checks 'scanners' => [ 'headers' => [ 'checks' => [ 'csp' => false, // Disable CSP check if using Cloudflare ], ], ], ``` **Scan too slow**``` # Use quick mode (3x faster) php artisan secure:scan --quick # Or disable slow scanners # config/secure_baseline.php 'scanners' => [ 'sensitive_data' => [ 'enabled' => false, // Log scanning is slowest ], ], ``` --- πŸ“œ License --------- [](#-license) MIT License. See [LICENSE](LICENSE) for details. --- ⭐ Show Your Support ------------------- [](#-show-your-support) If Laravel Secure Baseline helps secure your application: 1. ⭐ Star the repo 2. πŸ“ Write a blog post 3πŸ’¬ Share in Laravel communities --- **Made with ❀️ for the Laravel community** [GitHub](https://github.com/bigdevwhale/laravel-secure-baseline) β€’ [Packagist](https://packagist.org/packages/bigdevwhale/laravel-secure-baseline) β€’ [Email](mailto:marat.badykov.555@gmail.com) Security is not a feature, it's a requirement ### Health Score 43 β€” FairBetter than 91% of packages Maintenance79 Regular maintenance activity Popularity27 Limited adoption so far Community6 Small or concentrated contributor base Maturity46 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits β€” single point of failure How is this calculated?**Maintenance (25%)** β€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** β€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** β€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** β€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 4 Last Release 113d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/a881cea8e4820ae067cd4d454854b04ab111c9f56f5bf05adb0cd03713591a4c?d=identicon)[Marat555](/maintainers/Marat555) --- Top Contributors [![bigdevwhale](https://avatars.githubusercontent.com/u/14868809?v=4)](https://github.com/bigdevwhale "bigdevwhale (30 commits)") ### Code Quality TestsPest ### Embed Badge ![Health badge](/badges/bigdevwhale-laravel-secure-baseline/health.svg) ``` [![Health](https://phpackages.com/badges/bigdevwhale-laravel-secure-baseline/health.svg)](https://phpackages.com/packages/bigdevwhale-laravel-secure-baseline) ``` ### Alternatives [matomo/matomo Matomo is the leading Free/Libre open analytics platform 21.4k37.3k](/packages/matomo-matomo)[soved/laravel-gdpr GDPR compliance with ease 299127.5k2](/packages/soved-laravel-gdpr)[masterro/laravel-xss-filter Filter user input for XSS but don't touch other html 41254.5k](/packages/masterro-laravel-xss-filter)[spatie/ssl-certificate-chain-resolver SSL certificate chain resolver 3069.6k](/packages/spatie-ssl-certificate-chain-resolver)[nickurt/laravel-pwned-passwords PwnedPasswords for Laravel 11.x/12.x/13.x 187.5k](/packages/nickurt-laravel-pwned-passwords)[dgtlss/owaspadvisor A Laravel package to help developers implement OWASP Top 10 security guidelines 327.1k](/packages/dgtlss-owaspadvisor) PHPackages Β© 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)