PHPackages fanfanfw/landbot-secure - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. fanfanfw/landbot-secure ActiveLibrary[Security](/categories/security) fanfanfw/landbot-secure ======================= Secure Landbot embed for Laravel with session-bound config proxying v1.0.2(1mo ago)03↑2900%MITPHPPHP ^8.1 Since Mar 27Pushed 1mo agoCompare [ Source](https://github.com/fanfanfw/landbot-secure)[ Packagist](https://packagist.org/packages/fanfanfw/landbot-secure)[ RSS](/packages/fanfanfw-landbot-secure/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (7)Versions (4)Used By (0) fanfanfw/landbot-secure ======================= [](#fanfanfwlandbot-secure) `fanfanfw/landbot-secure` is a Laravel package that hardens Landbot widget embedding by hiding the original `configUrl` behind a session-bound proxy flow. It does not modify the bot logic inside Landbot. It only changes how the browser obtains the config needed to bootstrap the widget. What It Solves -------------- [](#what-it-solves) Landbot's default embed snippet exposes a public `configUrl` in browser source. If someone copies that URL, they can attempt to reuse the same bot elsewhere. This package reduces that risk by: - Keeping the original `LANDBOT_CONFIG_URL` server-side only - Issuing a short-lived one-time token via a Laravel `web` session - Exposing a local Laravel config endpoint that the Landbot SDK can fetch - Proxying the upstream Landbot config through Laravel only after token validation Security Boundary ----------------- [](#security-boundary) This package is a hardening layer, not DRM. - It hides the original `configUrl` from HTML and bootstrap JavaScript. - It does not make the proxied config payload impossible to inspect in a legitimate browser session. - It does not protect against XSS on the host application. - It does not replace a native vendor-side domain restriction feature. Requirements ------------ [](#requirements) - PHP `^8.1` - Laravel `^10.0|^11.0|^12.0|^13.0`Host PHP minimum still follows the Laravel version you install: - Laravel 10: PHP 8.1+ - Laravel 11-12: PHP 8.2+ - Laravel 13: PHP 8.3+ Installation ------------ [](#installation) ``` composer require fanfanfw/landbot-secure ``` Add your Landbot config URL to `.env`: ``` LANDBOT_CONFIG_URL=https://storage.googleapis.com/landbot.online/v3/H-XXXXXXX-XXXXXXXXXXXXXXXXX/index.json ``` Render the widget: ``` ``` Validate the setup: ``` php artisan landbot:check ``` Configuration ------------- [](#configuration) You may publish the config file: ``` php artisan vendor:publish --tag=landbot-config ``` Available environment variables: KeyRequiredDefaultDescription`LANDBOT_CONFIG_URL`Yes—Original Landbot config URL`LANDBOT_ENABLED`No`true`Enable or disable the widget`LANDBOT_ROUTE_PREFIX`No`__landbot`Internal route prefix`LANDBOT_TOKEN_TTL`No`2`Token lifetime in minutes`LANDBOT_RATE_LIMIT`No`10``/token` requests per minute per IP`LANDBOT_LOGGING`No`true`Enable package logging`LANDBOT_LOG_CHANNEL`No`null`Optional Laravel log channelUsage ----- [](#usage) Basic usage in any Blade view: ``` ``` Optional facade usage: ``` use Landbot; Landbot::isEnabled(); Landbot::getRoutePrefix(); ``` Publishable Assets ------------------ [](#publishable-assets) Publish config: ``` php artisan vendor:publish --tag=landbot-config ``` Publish views: ``` php artisan vendor:publish --tag=landbot-views ``` How It Works ------------ [](#how-it-works) 1. The browser lazily requests `GET /__landbot/token`. 2. Laravel stores a hashed one-time token in the session and returns the raw token. 3. The browser initializes `Landbot.Livechat` with a same-origin local config URL such as `/__landbot/config?token=...`. 4. The Landbot SDK fetches that local config endpoint with the browser session attached. 5. Laravel validates the session-bound token, fetches the upstream Landbot config, and returns proxied JSON while keeping the original upstream `configUrl` hidden. Testing ------- [](#testing) ``` ./vendor/bin/phpunit --testdox ``` License ------- [](#license) MIT ### Health Score 38 — LowBetter than 85% of packages Maintenance90 Actively maintained with recent releases Popularity4 Limited adoption so far Community6 Small or concentrated contributor base Maturity44 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 3 Last Release 46d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/57759401?v=4)[fanfanfw](/maintainers/fanfanfw)[@fanfanfw](https://github.com/fanfanfw) --- Top Contributors [![fanfanfw](https://avatars.githubusercontent.com/u/57759401?v=4)](https://github.com/fanfanfw "fanfanfw (3 commits)") --- Tags laravelsecurityembedchatbotlandbot ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/fanfanfw-landbot-secure/health.svg) ``` [![Health](https://phpackages.com/badges/fanfanfw-landbot-secure/health.svg)](https://phpackages.com/packages/fanfanfw-landbot-secure) ``` ### Alternatives [laravel/cashier Laravel Cashier provides an expressive, fluent interface to Stripe's subscription billing services. 2.5k25.9M107](/packages/laravel-cashier)[laravel/pulse Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Laravel application. 1.7k12.1M99](/packages/laravel-pulse)[roots/acorn Framework for Roots WordPress projects built with Laravel components. 9682.1M97](/packages/roots-acorn)[laravel/mcp Rapidly build MCP servers for your Laravel applications. 71510.9M66](/packages/laravel-mcp)[torchlight/torchlight-laravel A Laravel Client for Torchlight, the syntax highlighting API. 120452.8k11](/packages/torchlight-torchlight-laravel)[laragear/poke Keep your forms alive, avoid TokenMismatchException by gently poking your Laravel app 2211.5k](/packages/laragear-poke) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)