PHPackages dsentker/url-signature - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. dsentker/url-signature ActiveLibrary[Security](/categories/security) dsentker/url-signature ====================== A secure URI generation and validation library 1.2.0(4y ago)1842.0k↓50%2[1 issues](https://github.com/dsentker/url-signature/issues)[1 PRs](https://github.com/dsentker/url-signature/pulls)1MITPHPPHP ^7.2 || ^8.0CI passing Since Feb 27Pushed 3mo ago1 watchersCompare [ Source](https://github.com/dsentker/url-signature)[ Packagist](https://packagist.org/packages/dsentker/url-signature)[ Docs](https://github.com/dsentker/url-signature)[ RSS](/packages/dsentker-url-signature/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (2)Dependencies (4)Versions (16)Used By (1) UrlSignature ------------ [](#urlsignature) **Create URLs with a signature to prevent modification** [![PHP from Packagist](https://camo.githubusercontent.com/a41078a5fab5fdd673a5f4bc73d1c53cec62abe78b555e0111844a15bdba28f4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6473656e746b65722f75726c2d7369676e61747572652e737667)](https://camo.githubusercontent.com/a41078a5fab5fdd673a5f4bc73d1c53cec62abe78b555e0111844a15bdba28f4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6473656e746b65722f75726c2d7369676e61747572652e737667)[![Packagist](https://camo.githubusercontent.com/fd2820d6bc2bf3ed8f7c42884acb211cd77b7fa9c29fa716cd1ed580e2c81d22/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6473656e746b65722f75726c2d7369676e61747572652e737667)](https://camo.githubusercontent.com/fd2820d6bc2bf3ed8f7c42884acb211cd77b7fa9c29fa716cd1ed580e2c81d22/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6473656e746b65722f75726c2d7369676e61747572652e737667)[![Build Status](https://camo.githubusercontent.com/01bfd222db583d09398231506d75112b5315eb58a990f2ed947bd537524913ff/68747470733a2f2f7472617669732d63692e6f72672f6473656e746b65722f75726c2d7369676e61747572652e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/dsentker/url-signature)[![GitHub last commit](https://camo.githubusercontent.com/6dcdba016574ca432066038aecab13702723aaf67f4d6e916ef50dcea5ac58a8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6173742d636f6d6d69742f6473656e746b65722f75726c2d7369676e61747572652e737667)](https://camo.githubusercontent.com/6dcdba016574ca432066038aecab13702723aaf67f4d6e916ef50dcea5ac58a8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6173742d636f6d6d69742f6473656e746b65722f75726c2d7369676e61747572652e737667) This small PHP >7.2.0 library allows developers to build urls with a hash to prevent the modification of URL parts. Why? ---- [](#why) A common attack method that pentesters and actual attackers will use is to capture a URL with "id" values in it (like `/user/view?id=1234`) and manually change this value to try to bypass authorization checks. While an application should always have some kind of auth check when the URL is called, there's another step that can help to prevent URL changes: a signature value. This signature value is built using the contents of the current URL along with a "secret" value unique to the application. This signature is then appended to the URL and can be used directly in links. When the URL is used and the request is received, the signature is then checked against the current URL values. If there's no match, the check fails. Installation ------------ [](#installation) Installing via [Composer](https://getcomposer.org) is simple: `composer require dsentker/url-signature` If you do not like composer, you can download this repository and use any PSR-4-Autoloader to get everything loaded. There is also [a **Symfony bundle**](https://github.com/dsentker/url-signature-bundle/) available: `composer require dsentker/url-signature-bundle` Usage ----- [](#usage) To sign (or validate) URLs, a key is required (which is of course secret). The key is used to hash special parts\* of the URL and attach them as a signature in the query string of the URL. *\*) You can decide for yourself which parts of the URL should be hashed.* Later, on validation, the same key is used to hash the current URL. This hash is compared with the hash in query string. ### Signing URLs [](#signing-urls) ```