PHPackages                             jvmtech/neos-hardening - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. jvmtech/neos-hardening

ActiveNeos-package[Security](/categories/security)

jvmtech/neos-hardening
======================

Harden request headers, login interface and passwords to increase backend security.

2.0.0(1y ago)617.6k↓25.3%2[4 issues](https://github.com/jvm-tech/JvMTECH.NeosHardening/issues)[1 PRs](https://github.com/jvm-tech/JvMTECH.NeosHardening/pulls)MITPHP

Since Dec 17Pushed 6mo ago2 watchersCompare

[ Source](https://github.com/jvm-tech/JvMTECH.NeosHardening)[ Packagist](https://packagist.org/packages/jvmtech/neos-hardening)[ RSS](/packages/jvmtech-neos-hardening/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (6)Dependencies (1)Versions (10)Used By (0)

JvMTECH.NeosHardening Package for Neos CMS
==========================================

[](#jvmtechneoshardening-package-for-neos-cms)

[![Latest Stable Version](https://camo.githubusercontent.com/6cca548042160e3a2f43eec689c8e7c426b4180f9cf47c736146659d415f1b9c/68747470733a2f2f706f7365722e707567782e6f72672f6a766d746563682f6e656f732d68617264656e696e672f762f737461626c65)](https://packagist.org/packages/jvmtech/neos-hardening)[![License](https://camo.githubusercontent.com/b90a9bda86f2dbf4933962a49e4d261422c876ad289f27eae4d1034883a79d97/68747470733a2f2f706f7365722e707567782e6f72672f6a766d746563682f6e656f732d68617264656e696e672f6c6963656e7365)](https://packagist.org/packages/jvmtech/neos-hardening)

Harden request headers, login interface and passwords to increase backend security.

Installation
------------

[](#installation)

```
composer require jvmtech/neos-hardening

```

Active by default
-----------------

[](#active-by-default)

- Remove Neos version info from request headers \*
- Set min password strength requirements

Optional features
-----------------

[](#optional-features)

- Change the default login url "/neos" to something like "/neos-random-suffix" \*: ```
    JvMTECH:
      NeosHardening:
        loginUri: 'neos-random-suffix'

    ```
- Replace the dynamic login url check with a custom RegEx (not needed if you just replace `loginUri`): ```
    JvMTECH:
      NeosHardening:
        loginUriRegex: '/^(neos)?($|\/)/'

    ```
- Limit login interface access to specified ip addresses: ```
    JvMTECH:
      NeosHardening:
      allowedIPs:
        IPv4:
          - '172.20.30.40'
          - '172.20.0.0/24'
        IPv6:
          - '2001:0db8:85a3:0000:0000:8a2e:0370:7334'

    ```
- Define password strength requirements, defaults: ```
    JvMTECH:
      NeosHardening:
        checkPasswordStrengthOnAddUser: true
        checkPasswordStrengthOnSetUserPassword: true
        passwordRequirements:
          minLength: 8
          upperAndLowerCase: true
          numbers: true
          specialChars: false
          maxConsecutiveLetters: 0 # disabled
          maxConsecutiveNumbers: 0 # disabled

    ```
- An example for secure passwords (should be your standard because you use a password manager, right? 😉): ```
    JvMTECH:
      NeosHardening:
        passwordRequirements:
          minLength: 16
          upperAndLowerCase: true
          numbers: true
          specialChars: true
          maxConsecutiveLetters: 3
          maxConsecutiveNumbers: 3

    # "djxAHQC0bzc_tjd9nmg" would fail
    # "djx@HQC0bzc_tjd9nmg" would work

    ```
- Disable user on too many failed login attempts: ```
    JvMTECH:
      NeosHardening:
        checkFailedLogins: true
        blockAfterFailedLogins: 5

    ```
- Prevent reuse of old passwords: ```
    JvMTECH:
      NeosHardening:
        checkPasswordHistory: true
        passwordHistoryLength: 10

    ```
- - Force password reset on new account creation or admin update:

    ```
    JvMTECH:
      NeosHardening:
        forcePasswordResetAfterUpdate: true

    ```

\*) Why hiding stuff?
---------------------

[](#-why-hiding-stuff)

Hiding the Neos version in the request headers and moving the login to an new url is nothing else than "[security by obsurity](https://en.wikipedia.org/wiki/Security_through_obscurity)".

Yes. But it's another layer to make it a little bit harder to get into your system. Therefore, it's a low-hanging fruit we should take.

---

by [jvmtech.ch](https://jvmtech.ch)

###  Health Score

40

—

FairBetter than 86% of packages

Maintenance45

Moderate activity, may be stable

Popularity33

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity56

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 80% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~208 days

Recently: every ~293 days

Total

8

Last Release

200d ago

Major Versions

1.0.4 → 2.0.02025-06-12

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/56817323?v=4)[jvmtech](/maintainers/jvmtech)[@Jvmtech](https://github.com/Jvmtech)

---

Top Contributors

[![sbruggmann](https://avatars.githubusercontent.com/u/1162368?v=4)](https://github.com/sbruggmann "sbruggmann (12 commits)")[![Benjamin-K](https://avatars.githubusercontent.com/u/3098031?v=4)](https://github.com/Benjamin-K "Benjamin-K (2 commits)")[![c4ll-m3-j4ck](https://avatars.githubusercontent.com/u/7119811?v=4)](https://github.com/c4ll-m3-j4ck "c4ll-m3-j4ck (1 commits)")

### Embed Badge

![Health badge](/badges/jvmtech-neos-hardening/health.svg)

```
[![Health](https://phpackages.com/badges/jvmtech-neos-hardening/health.svg)](https://phpackages.com/packages/jvmtech-neos-hardening)
```

###  Alternatives

[neos/neos-base-distribution

Neos Base Distribution

4366.0k](/packages/neos-neos-base-distribution)[neos/demo

Site package for the Neos Demo Site

18188.3k10](/packages/neos-demo)[neos/seo

SEO configuration and tools for Neos

141.0M31](/packages/neos-seo)[neos/form-builder

Flow Form Framework integration into Neos CMS

19364.6k20](/packages/neos-form-builder)[sandstorm/neostwofactorauthentication

1327.0k](/packages/sandstorm-neostwofactorauthentication)[kaufmanndigital/gdpr-cookieconsent

A ready-to-run package, that integrates an advanced cookie consent banner into your Neos CMS site.

2542.4k](/packages/kaufmanndigital-gdpr-cookieconsent)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
