PHPackages sicaboy/laravel-security - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. sicaboy/laravel-security ActiveLibrary[Security](/categories/security) sicaboy/laravel-security ======================== This package can be used to enhance the user security of Laravel projects. 1.2(3y ago)71071MITPHPPHP ^5.6|^7.0|^8.0CI failing Since Apr 12Pushed 3y ago1 watchersCompare [ Source](https://github.com/sicaboy/laravel-security)[ Packagist](https://packagist.org/packages/sicaboy/laravel-security)[ Docs](https://github.com/sicaboy/laravel-security)[ RSS](/packages/sicaboy-laravel-security/feed)WikiDiscussions master Synced today READMEChangelogDependencies (3)Versions (7)Used By (1) Laravel Security Components =========================== [](#laravel-security-components) [![Latest Stable Version](https://camo.githubusercontent.com/f6e4cd3e699d9df97b0937b8b60f7cab3bcafcb9b264cdeb06efdbcc02d9e701/68747470733a2f2f706f7365722e707567782e6f72672f73696361626f792f6c61726176656c2d73656375726974792f762f737461626c652e737667)](https://packagist.org/packages/sicaboy/laravel-security)[![License](https://camo.githubusercontent.com/246bd7d930a4d58c8aefa498a9b4e7e3b15859a1d7d871cfc819d9964c5ce66a/68747470733a2f2f706f7365722e707567782e6f72672f73696361626f792f6c61726176656c2d73656375726974792f6c6963656e73652e737667)](LICENSE.md)[![Total Downloads](https://camo.githubusercontent.com/263694ff2db5680a6ef15355c8fb8e1f22247187b7ac293871eb40dff625cbc6/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f73696361626f792f6c61726176656c2d73656375726974792e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/sicaboy/laravel-security) Introduction ------------ [](#introduction) This package can be used to enhance the user security of Laravel projects. Installation ------------ [](#installation) Requirements: - [PHP](https://php.net) 5.5+ - [Composer](https://getcomposer.org) To get the latest version of Laravel Security, simply run: ``` composer require sicaboy/laravel-security ``` Then do vendor publish: ``` php artisan vendor:publish --provider="Sicaboy\LaravelSecurity\LaravelSecurityServiceProvider" ``` After publishing, you can modify templates and config in: ``` app/config/laravel-security.php resources/views/vendor/laravel-security/ resources/lang/en/laravel-security.php ``` If you're on Laravel < 5.5, you'll need to register the service provider. Open up `config/app.php` and add the following to the `providers` array: ``` Siaboy\LaravelSecurity\LaravelSecurityServiceProvider::class, ``` Features ======== [](#features) Disallow user to use a common password or a used password --------------------------------------------------------- [](#disallow-user-to-use-a-common-password-or-a-used-password) **Verify the user-provided password is not one of the top 10,000 worst passwords** as analyzed by a respectable IT security analyst. Read about all [ here](https://xato.net/10-000-top-passwords-6d6380716fe0#.473dkcjfm), [here(wired)](http://www.wired.com/2013/12/web-semantics-the-ten-thousand-worst-passwords/) or [here(telegram)](http://www.telegraph.co.uk/technology/internet-security/10303159/Most-common-and-hackable-passwords-on-the-internet.html) #### Available validators rules [](#available-validators-rules) - [NotCommonPassword](src/Rules/NotCommonPassword.php) - Avoid user to use a common used password - [NotAUsedPassword](src/Rules/NotAUsedPassword.php) - Avoid user to use a password which has been used before ``` // Add rule instance to the field validation rules list public function rules() { return [ 'password_field' => [ 'required', 'confirmed', 'min:8', 'regex:/[a-z]/', // must contain at least one lowercase letter 'regex:/[A-Z]/', // must contain at least one uppercase letter 'regex:/[0-9]/', // must contain at least one digit //... new \Sicaboy\LaravelSecurity\Rules\NotCommonPassword(), new \Sicaboy\LaravelSecurity\Rules\NotAUsedPassword($user), ], ]; } // Also you need to call event, examples in the next section ``` #### CAUTION: Extra event you need to call [](#caution-extra-event-you-need-to-call) User login and register events have been automatically traced. While there is an extra event you should add to call explicitly. ``` // Call on user password change event(new \Illuminate\Auth\Events\PasswordReset($user)); // If you are using custom login, register and reset password actions which are not the Laravel built-in ones, you will need to call event in your function accordingly. event(new \Illuminate\Auth\Events\Login($user)); event(new \Illuminate\Auth\Events\Registered($user)); event(new \Illuminate\Auth\Events\PasswordReset($user)); ``` Usage ----- [](#usage) #### Password Policies [](#password-policies) - Delete accounts with days of no activity - Lockout accounts with days of no activity - Force change password every x days 1. To enable the first two policies, you need to set `enabled` to `true` in `config/laravel-security.php` as below: ``` ... 'password_policy' => [ // Delete accounts with days of no activity 'auto_delete_inactive_accounts' => [ 'enabled' => true, ... ], // Lock out accounts with days of no activity 'auto_lockout_inactive_accounts' => [ 'enabled' => true, ... ], ] ... ``` 2. To reject locked accounts and force user to change their password every x days, you will need to use this middleware ``` Route::middleware(['security'])->group(function () { ... }); ``` ### If Using Different User Objects [](#if-using-different-user-objects) - If you use different `User` objects, for example a traditional `App\User` and a customize admin user, you can write middleware this way: ``` Route::middleware(['security:admin'])->group(function () { ... }); ``` - Add config group in your `config/laravel-security.php` ``` return [ 'default' => [ ... ], 'group' 'admin' => [ // Example, when using middleware 'security:admin'. Attributes not mentioned will be inherit from `default` above ... ], 'other_name' => [ // Middleware 'security:other_name' ... ] ], ``` 2. To enable `Force change password every x days` you need to set `enabled` to `true` and `change_password_url` in `config/laravel-security.php` as below: ``` ... 'password_policy' => [ ... // Force change password every x days 'force_change_password' => [ 'enabled' => true, 'days_after_last_change' => 90, // every 90 days 'change_password_url' => '/user/change-password', // Change My Password page URL ], ... ] ... ``` 3. Add the following commands to `app/Console/Kernel.php` of your application. **Implement to one instance if using web server clusters** ``` protected function schedule(Schedule $schedule) { $schedule->command(\Sicaboy\LaravelSecurity\Console\Commands\DeleteInactiveAccounts::class) ->hourly(); $schedule->command(\Sicaboy\LaravelSecurity\Console\Commands\LockoutInactiveAccounts::class) ->hourly(); ... } ``` 3. Make sure you add the [Laravel scheduler](https://laravel.com/docs/7.x/scheduling#introduction) in your crontab **Implement to one instance if using web server clusters** ``` * * * * * cd /path-to-your-project && php artisan schedule:run >> /dev/null 2>&1 ``` Multi-factor Authentication --------------------------- [](#multi-factor-authentication) This feature has been moved to [sicaboy/laravel-mfa](https://github.com/sicaboy/laravel-mfa) TODO ---- [](#todo) - Ability to split `extended_security` table to multiple tables. or other methods to support websites with huge user mount. - Add cron job to remove too old password records to avoid heavy table. Changelog --------- [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently. Contributing ------------ [](#contributing) Please feel free to fork this package and contribute by submitting a pull request to enhance the functionalities. License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 30 — LowBetter than 64% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity15 Limited adoption so far Community9 Small or concentrated contributor base Maturity65 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~222 days Recently: every ~277 days Total 6 Last Release 1107d ago PHP version history (2 changes)1.0PHP ~5.6|~7.0 1.2PHP ^5.6|^7.0|^8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/0e2951851fcef464f5f5745cac87603ddd3675ba9f92623c5156a6073e499e28?d=identicon)[sicaboy](/maintainers/sicaboy) --- Top Contributors [![sicaboy](https://avatars.githubusercontent.com/u/2426114?v=4)](https://github.com/sicaboy "sicaboy (21 commits)") --- Tags laravelsecuritypasswords ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/sicaboy-laravel-security/health.svg) ``` [![Health](https://phpackages.com/badges/sicaboy-laravel-security/health.svg)](https://phpackages.com/packages/sicaboy-laravel-security) ``` ### Alternatives [akaunting/laravel-firewall Web Application Firewall (WAF) package for Laravel 999465.8k2](/packages/akaunting-laravel-firewall)[enlightn/laravel-security-checker A Laravel package to scan your dependencies for known security vulnerabilities. 51173.4k](/packages/enlightn-laravel-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)