PHPackages                             ozankurt/laravel-security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. ozankurt/laravel-security

ActiveLibrary[Security](/categories/security)

ozankurt/laravel-security
=========================

Comprehensive Laravel security suite, WAF, malware scanner, ACL, audit log, live traffic, and notifications. The Wordfence-equivalent for Laravel.

v2.2.0(4d ago)1117[2 PRs](https://github.com/OzanKurt/laravel-shield/pulls)MITPHPPHP ^8.0CI failing

Since Mar 23Pushed 2w ago1 watchersCompare

[ Source](https://github.com/OzanKurt/laravel-shield)[ Packagist](https://packagist.org/packages/ozankurt/laravel-security)[ Docs](https://laravel-shield.ozankurt.com)[ RSS](/packages/ozankurt-laravel-security/feed)WikiDiscussions main Synced today

READMEChangelog (7)Dependencies (24)Versions (27)Used By (0)

Laravel Shield
==============

[](#laravel-shield)

[![Latest Version on Packagist](https://camo.githubusercontent.com/e448a67e120e76bebaa6c1bd2e61b55775c165d50307df6cc4acfa341b9ff10a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6f7a616e6b7572742f6c61726176656c2d736869656c642e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/ozankurt/laravel-shield)[![License](https://camo.githubusercontent.com/74f08dd5d33b3c550a414f1ccf62aa7bb4475097000fb50ef0f101b6ee0b4449/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6f7a616e6b7572742f6c61726176656c2d736869656c642e7376673f7374796c653d666c61742d737175617265)](LICENSE.md)

**Comprehensive security suite for Laravel, the Wordfence equivalent.**

WAF + scanner + ACL + audit log + live traffic + notifications, all configurable, all auditable, all Laravel-native.

> **Brand site:** [laravel-shield.ozankurt.com](https://laravel-shield.ozankurt.com), docs, pricing, license activation.

---

Why Laravel Shield
------------------

[](#why-laravel-shield)

NeedWhat Shield gives youBlock malicious requests15+ WAF middlewares (XSS, SQLi, LFI, RFI, PHP wrappers, sessions, agents, geo, bots, keyword path filters) + DB-backed rule engineManage allow/deny listsUnified `ls_acl` table, IP / CIDR / ASN / country / regex / hostname, first-match-wins evaluation, Redis-cachedDetect malwareScanner with native engine + ClamAV + composer audit; quarantine + restore; signature feed syncAudit-log everythingHMAC-chained `ls_audit_log`, file/config/composer drift detection, `HasAuditLog` trait for model eventsSee live trafficSampled `ls_live_traffic` table with optional real-time broadcasting (Reverb / Pusher / Ably)Get alertsMail / Slack / Discord / Telegram / Webhook channels, severity-routedStay locked out?Three-layer bypass (env key + config IPs + Artisan recovery commands)Beyond WordfenceSecurity headers + CSP nonce, honeypot routes, generalized redaction, suspicious activity scoring, HTTPS enforcement, cookie security audit, trusted-proxy auto-discovery, pre-configured rate limiters---

Install
-------

[](#install)

```
composer require ozankurt/laravel-shield
php artisan shield:install
```

`shield:install` publishes config + migrations + lang + assets, runs migrations, seeds lookup tables + ~47 built-in WAF rules + ~33 built-in malware signatures, generates `LS_AUDIT_HMAC_SECRET` + `LS_BYPASS_KEY` if missing, and optionally whitelists your current IP so you don't lock yourself out.

Then expose the dashboard by allowing the gate it defines:

```
// AppServiceProvider::boot()
Gate::define('viewShieldDashboard', fn ($user) => $user && $user->is_admin);
```

Visit `/shield`.

Quickstart middlewares
----------------------

[](#quickstart-middlewares)

In your route file or middleware group, attach what you need:

```
Route::middleware('firewall.all')->group(function () {
    Route::post('/login', LoginController::class);
});

Route::post('/api/upload', UploadController::class)
    ->middleware(['firewall.av_uploads', 'throttle:shield_login']);

Route::middleware(['firewall.acl', 'firewall.headers'])->group(function () {
    // Public site with security headers + ACL evaluation
});
```

Configuration
-------------

[](#configuration)

After install, see `config/shield.php`. Every limit, threshold, regex, path, and behaviour is exposed. Highlights:

```
// Storage strategy (sync default; queue/redis_batch for high traffic)
'storage' => ['driver' => env('LS_STORAGE_DRIVER', 'sync'), 'sample_rate' => ['live_traffic' => 0.1]],

// Audit log with HMAC chain tamper evidence
'audit' => ['drift' => ['enabled' => true, 'paths' => ['config/' => '*.php', '.env' => null]]],

// Scanner with ClamAV (composer suggest xenolope/quahog)
'scanner' => ['clamav' => ['enabled' => env('LS_CLAMAV_ENABLED', false)]],

// Three-layer bypass for admin lockout recovery
'bypass' => ['ips' => array_filter(explode(',', env('LS_BYPASS_IPS', '')))],

// Beyond-WF extras (all opt-in)
'headers' => ['enabled' => true, 'csp' => ['enabled' => false, 'use_nonce' => true]],
'honeypot' => ['enabled' => false, 'paths' => ['wp-admin', '.env', 'phpmyadmin', '.git/config']],
'scoring' => ['enabled' => false, 'threshold' => 100, 'window' => 3600],
```

Documentation
-------------

[](#documentation)

TopicDocInstallation + configuration[docs/installation.md](docs/installation.md)ACL evaluation + matchers[docs/acl.md](docs/acl.md)Audit log + HMAC chain[docs/audit-log.md](docs/audit-log.md)Scanner + ClamAV + signatures[docs/scanner.md](docs/scanner.md)File-change watcher[docs/security-watch.md](docs/security-watch.md)Notifications + multi-cadence reports[docs/notifications.md](docs/notifications.md)Bypass mechanism[docs/bypass.md](docs/bypass.md)Premium tier + license[docs/premium.md](docs/premium.md)Premium tier
------------

[](#premium-tier)

Premium features live in the **same package**, gated by `LS_PREMIUM_LICENSE_KEY` at runtime. No separate composer repo, no Satis, no auth tokens. Buy at [laravel-shield.ozankurt.com](https://laravel-shield.ozankurt.com), paste the key into `.env`, premium features activate on next request.

Premium unlocks:

- Real-time threat feed sync (free tier syncs daily; premium polls every few minutes)
- Real-time IP blocklist subscription
- Hosted audit-log sink (forward audit events to the Shield Central app for cross-site aggregation)
- Future SIEM dashboard integration

The license check is honest soft-enforcement (see [docs/premium.md](docs/premium.md), the real moat is the API services Ozan hosts, which patching the local check can't unlock).

Companion packages
------------------

[](#companion-packages)

- **`ozankurt/laravel-shield-filament`**, Filament panel adapter. v1.x for Filament 3 + 4, v2.x for Filament 5+. (Ships post-1.0.)
- **`ozankurt/laravel-shield-signatures`**, Public GitHub repo of malware signatures. `shield:signatures-sync` pulls from here.

License
-------

[](#license)

MIT, see [LICENSE.md](LICENSE.md).

###  Health Score

46

—

FairBetter than 92% of packages

Maintenance96

Actively maintained with recent releases

Popularity13

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity56

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 99.4% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~41 days

Recently: every ~8 days

Total

21

Last Release

4d ago

Major Versions

0.2.2 → v1.0.0-beta.12026-05-26

v1.2.0 → v2.0.02026-05-28

### Community

Maintainers

![](https://www.gravatar.com/avatar/c24006c03ba24fcb1c65905a009600b34e17d532add4a381075a2d7379cf4b94?d=identicon)[OzanKurt](/maintainers/OzanKurt)

---

Top Contributors

[![OzanKurt](https://avatars.githubusercontent.com/u/8682003?v=4)](https://github.com/OzanKurt "OzanKurt (155 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)")

---

Tags

laravelsecurityxssblacklistfirewallscanneraudit-logsqliwafrfilfishieldmalware

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/ozankurt-laravel-security/health.svg)

```
[![Health](https://phpackages.com/badges/ozankurt-laravel-security/health.svg)](https://phpackages.com/packages/ozankurt-laravel-security)
```

###  Alternatives

[akaunting/laravel-firewall

Web Application Firewall (WAF) package for Laravel

1.0k508.9k2](/packages/akaunting-laravel-firewall)[grumpydictator/firefly-iii

Firefly III: a personal finances manager.

23.9k69.5k](/packages/grumpydictator-firefly-iii)[laravel/framework

The Laravel Framework.

34.8k543.8M19.9k](/packages/laravel-framework)[statamic/cms

The Statamic CMS Core Package

4.8k3.6M974](/packages/statamic-cms)[unopim/unopim

UnoPim Laravel PIM

10.5k2.4k](/packages/unopim-unopim)[firefly-iii/data-importer

Firefly III Data Import Tool.

8015.8k](/packages/firefly-iii-data-importer)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
