PHPackages subhashladumor1/laravel-cybershield - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. subhashladumor1/laravel-cybershield ActiveLibrary[Security](/categories/security) subhashladumor1/laravel-cybershield =================================== Enterprise-grade Laravel security package providing WAF firewall protection, rate limiting, bot detection, honeypot traps, IP geo-blocking, CSRF/XSS/SQLi defence, API gateway security, real-time threat monitoring, malware scanning, and a built-in security dashboard β€” all configurable via a single config file. 1.0.0(1mo ago)00MITPHPPHP ^8.2 Since Mar 29Pushed 1mo agoCompare [ Source](https://github.com/subhashladumor1/laravel-cybershield)[ Packagist](https://packagist.org/packages/subhashladumor1/laravel-cybershield)[ Docs](https://github.com/subhashladumor1/laravel-cybershield)[ RSS](/packages/subhashladumor1-laravel-cybershield/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (14)Versions (3)Used By (0) πŸ›‘οΈ Laravel CyberShield ====================== [](#️-laravel-cybershield) ### *Enterprise-Grade Security Intelligence for Modern Laravel Ecosystems* [](#enterprise-grade-security-intelligence-for-modern-laravel-ecosystems) [![Latest Version](https://camo.githubusercontent.com/b8334d1201dc6508be4af365381200ccbc3e574fb8850a8c48f2bc3af5225684/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f737562686173686c6164756d6f72312f6c61726176656c2d6379626572736869656c642e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d6c61726176656c26636f6c6f723d726564)](https://packagist.org/packages/subhashladumor1/laravel-cybershield) [![PHP Version](https://camo.githubusercontent.com/534f0f3a5e115ec6bd1cd1032c5b4c2d007cc58b707c49ed52575e7a3dbba0d1/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f737562686173686c6164756d6f72312f6c61726176656c2d6379626572736869656c642e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d70687026636f6c6f723d383839324246)](https://packagist.org/packages/subhashladumor1/laravel-cybershield) [![License](https://camo.githubusercontent.com/db719fe48242370392c2b93de6fb12716d137233b323d0ac1c736144d160492d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f737562686173686c6164756d6f72312f6c61726176656c2d6379626572736869656c642e7376673f7374796c653d666f722d7468652d626164676526636f6c6f723d343443433131)](https://packagist.org/packages/subhashladumor1/laravel-cybershield) [![Downloads](https://camo.githubusercontent.com/d9580c925300c007e9894a549f3f524a9da145da7f1ce79757d33dddaa5f0ab1/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f737562686173686c6164756d6f72312f6c61726176656c2d6379626572736869656c642e7376673f7374796c653d666f722d7468652d626164676526636f6c6f723d626c7565)](https://packagist.org/packages/subhashladumor1/laravel-cybershield) Warning **⚠️ Beta Version** β€” This package is currently in **beta**. APIs, configuration keys, and middleware behaviour may change between releases. It is not yet recommended for mission-critical production environments without thorough testing. We warmly welcome **contributors**, **bug reporters**, and **feature suggestions**! See [Contributing](#-contributing) below. > **Laravel CyberShield** is a proactive, multi-layered security intelligence layer for Laravel applications. It combines a signature-based Web Application Firewall (WAF), adaptive rate limiting, bot fingerprinting, API integrity verification, real-time threat scoring, malware scanning, and forensic logging β€” all working in concert to protect your application from modern threats. --- πŸ“‹ Table of Contents ------------------- [](#-table-of-contents) - [✨ Why CyberShield?](#-why-cybershield) - [πŸ—οΈ Architecture & How It Works](#%EF%B8%8F-architecture--how-it-works) - [πŸ”₯ Feature Overview](#-feature-overview) - [πŸš€ Installation](#-installation) - [βš™οΈ Configuration & .env Variables](#%EF%B8%8F-configuration--env-variables) - [πŸ“ Folder Structure](#-folder-structure) - [🌍 Real-World Example: Securing a FinTech API](#-real-world-example-securing-a-fintech-api) - [πŸ’Ž Benefits](#-benefits) - [πŸ“š Documentation Hub](#-documentation-hub) - [🀝 Contributing](#-contributing) - [πŸ‘₯ Credits & License](#-credits--license) --- ✨ Why CyberShield? ------------------ [](#-why-cybershield) Most security packages are bolt-on afterthoughts. CyberShield is designed from the ground up as a **defense-in-depth** platform that addresses the entire attack surface of a modern Laravel application. FeatureBasic PackagesπŸ›‘οΈ CyberShieldSQL Injection / XSS WAFβœ…βœ…Adaptive Rate Limiting (Fibonacci/Exponential)βŒβœ…Headless Browser & Bot FingerprintingβŒβœ…API HMAC Signatures + Replay ProtectionβŒβœ…Real-Time IP Threat Scoring (0-100)βŒβœ…Malware & Static Code AnalysisβŒβœ…200+ Modular Middleware GuardsβŒβœ…100+ Blade Security DirectivesβŒβœ…60+ Global Security Helper FunctionsβŒβœ…Data Masking (PII, Cards, Tokens)βŒβœ…Geo-Blocking + TOR/VPN DetectionβŒβœ…Network CIDR Whitelist/BlacklistβŒβœ…Forensic Logging & Security DashboardβŒβœ…Response mode: `active` (block) or `log` (observe)βŒβœ…--- πŸ—οΈ Architecture & How It Works ---------------------------------- [](#️-architecture--how-it-works) Every HTTP request passes through a multi-stage, sequential security pipeline before reaching your application's business logic. ``` graph TD User(["🌐 Incoming Traffic"]) --> CS{{"CyberShield Security Pipeline"}} subgraph "Stage 1: Network Gates" CS --> WL["βœ… Whitelist Check\n(Bypass for trusted IPs/CIDRs)"] WL --> BL["🚫 Blacklist Check\n(Drop blocked IPs instantly)"] BL --> GEO["🌍 Geo & TOR Filter\n(Country/Region blocking)"] end subgraph "Stage 2: Request Validation" GEO --> SZ["πŸ“ Size & Protocol Check\n(Max payload, HTTPS enforce)"] SZ --> HEADERS["πŸ“‹ Header Validation\n(User-Agent, Content-Type, Origin)"] HEADERS --> BOT["πŸ€– Bot Fingerprinting\n(Honeypot, Pacing, Headless detection)"] end subgraph "Stage 3: Threat Inspection" BOT --> RATE["⏱️ Adaptive Rate Limiter\n(Linear / Exponential / Fibonacci)"] RATE --> WAF["πŸ”₯ WAF Engine\n(SQLi, XSS, RCE, LFI signatures)"] WAF --> API["πŸ”‘ API Gateway\n(HMAC, Nonce, Timestamp, Cost)"] end subgraph "Stage 4: Intelligence" API --> SCORE["🧠 Threat Score Engine\n(0-100 real-time IP risk)"] SCORE --> LOG["πŸ“Š Forensic Logger\n(DB + File + Dashboard)"] end LOG --> APP[["βœ… Your Application Controller"]] WAF -->|"Threat Detected\n(active mode)"| BLOCK["πŸ”΄ 403/429 Response\n+ IP Quarantine"] WAF -->|"Threat Detected\n(log mode)"| LOGONLY["πŸ“ Log Only\n(Passive Monitoring)"] style CS fill:#9333ea,color:#fff,stroke:#7c3aed style BLOCK fill:#dc2626,color:#fff,stroke:#b91c1c style APP fill:#16a34a,color:#fff,stroke:#15803d ``` Loading ### 🧠 Core Processing Principles [](#-core-processing-principles) 1. **Dual Mode Operation**: Set `CYBERSHIELD_GLOBAL_MODE=active` to block threats or `log` to silently monitor β€” perfect for onboarding without disruption. 2. **Dynamic Threat Scoring**: Each IP accumulates a risk score (0-100) based on behavioral signals. Scores decay over 24 hours. 3. **Signature Intelligence**: WAF rules are JSON-based and loaded dynamically β€” extend without touching core code. 4. **Stateless + Stateful Guards**: Fast stateless header checks run first; cache-backed stateful checks (rate limiting, bot pacing) run second. --- πŸ”₯ Feature Overview ------------------ [](#-feature-overview) ### 1. πŸ”₯ Web Application Firewall (WAF) [](#1--web-application-firewall-waf) Deep-packet inspection engine covering the OWASP Top 10: - **SQL Injection**: `UNION SELECT`, `DROP TABLE`, `SLEEP()`, `EXTRACTVALUE()` - **Cross-Site Scripting (XSS)**: ``, `onerror=`, `javascript:` URIs - **Remote Code Execution (RCE)**: `eval()`, `shell_exec()`, `system()` - **Local File Inclusion (LFI)**: `../etc/passwd`, `C:\Windows\` - **Path Traversal**: `../` patterns in URIs - Payload normalization to defeat evasion attacks (e.g., `SEL/**/ECT`) ### 2. πŸ€– Bot & Automation Defense [](#2--bot--automation-defense) Multi-dimensional fingerprinting that goes beyond User-Agent strings: - Honeypot hidden form fields (`@secureHoneypot`) - Headless browser detection (Puppeteer, Playwright, Selenium) - Behavioral pacing analysis (request-timing anomalies) - JS environment variable markers detection - Tool fingerprinting: cURL, Guzzle, wget, Scrapy, Postman ### 3. ⏱️ Adaptive Rate Limiting [](#3-️-adaptive-rate-limiting) Three strategies for smart traffic shaping: - **Linear**: Fixed limit per window β€” general API usage - **Exponential**: Delay grows 2x with each violation β€” login protection - **Fibonacci**: Follows 1, 2, 3, 5, 8... sequence β€” high-security endpoints - Multi-layer throttling: per-IP, per-user, per-route, burst protection ### 4. πŸ”‘ API Security Gateway [](#4--api-security-gateway) Enterprise-grade integrity guarantees for REST/GraphQL APIs: - **HMAC-SHA256** request signature verification - **Nonce** (number-used-once) replay attack prevention - **Timestamp tolerance** validation (configurable, default 60s) - **Resource cost budgets** per endpoint (prevent exhaustion attacks) - **API Key registry** with per-key rate limiting tiers ### 5. 🌍 Network & Geo Intelligence [](#5--network--geo-intelligence) - CIDR-based whitelist/blacklist (e.g., `192.168.1.0/24`) - Country-level blocking (ISO codes via `CF-IPCountry` / `X-Country-Code`) - TOR exit node detection (real-time check.torproject.org feed, cached 12h) - VPN, proxy, and datacenter IP identification - IPv4 & IPv6 support ### 6. πŸ•΅οΈ Threat Intelligence Engine [](#6-️-threat-intelligence-engine) - Real-time IP risk scoring (0 = Safe, 100 = Block) - Automatic IP quarantine on threat detection - Dynamic block durations by severity (1 day β†’ 30 days) - Configurable threat score thresholds ### 7. πŸ”¬ Project Security Audit [](#7--project-security-audit) Artisan-powered static analysis with 11 specialized rule engines: - Malware pattern detection in PHP files - SQL Injection vulnerability scanning - XSS vulnerability scanning - Configuration security checks (debug mode, exposed keys) - Dependency vulnerability analysis - Model security (mass-assignment exposure) - File upload security - Bot detection code quality - API security posture - Auth security patterns - Infrastructure configuration review ### 8. πŸ“Š Forensic Logging & Monitoring [](#8--forensic-logging--monitoring) - Structured logging to database (`security_logs` table) - File-based logging with rotation (daily/weekly) - 9 log channels: request, API, bot, threat, system, traffic, database, queue, middleware - CSV/JSON export for SIEM integration - Security dashboard with Chart.js visualizations --- πŸš€ Installation -------------- [](#-installation) ### Requirements [](#requirements) - PHP **8.2+** - Laravel **10.x / 11.x / 12.x** - A configured Cache driver (Redis recommended for production) ### Step 1: Install via Composer [](#step-1-install-via-composer) ``` composer require subhashladumor1/laravel-cybershield ``` ### Step 2: Publish Assets [](#step-2-publish-assets) ``` # Publish config file, migrations, and views php artisan vendor:publish --provider="CyberShield\CyberShieldServiceProvider" # Or publish selectively: php artisan vendor:publish --tag=cybershield-config php artisan vendor:publish --tag=cybershield-migrations php artisan vendor:publish --tag=cybershield-views ``` ### Step 3: Run Migrations [](#step-3-run-migrations) ``` php artisan migrate ``` ### Step 4: Initialize CyberShield [](#step-4-initialize-cybershield) ``` php artisan security:base init ``` ### Step 5: Register the Global Guard [](#step-5-register-the-global-guard) **Laravel 11+ (`bootstrap/app.php`)**: ``` use Illuminate\Foundation\Application; use Illuminate\Foundation\Configuration\Middleware; return Application::configure(basePath: dirname(__DIR__)) ->withMiddleware(function (Middleware $middleware) { // Option A: Protect all routes globally $middleware->append(\CyberShield\Http\Middleware\FirewallMiddleware::class); // Option B: Register route-level aliases $middleware->alias([ 'cybershield.waf' => \CyberShield\Http\Middleware\FirewallMiddleware::class, 'cybershield.bot' => \CyberShield\Http\Middleware\DetectBotMiddleware::class, 'cybershield.rate' => \CyberShield\Http\Middleware\IpRateLimiterMiddleware::class, ]); }) ->create(); ``` **Laravel 10 (`app/Http/Kernel.php`)**: ``` protected $middleware = [ // ... other global middleware \CyberShield\Http\Middleware\FirewallMiddleware::class, ]; protected $middlewareAliases = [ // All 200+ cybershield.* aliases are auto-registered by the ServiceProvider ]; ``` ### Step 6: Configure `.env` [](#step-6-configure-env) ``` CYBERSHIELD_ENABLED=true CYBERSHIELD_GLOBAL_MODE=active CYBERSHIELD_ENFORCE_HTTPS=true CYBERSHIELD_BLOCK_TOR=false CYBERSHIELD_SIGNATURE_BLOCK_THRESHOLD=medium ``` --- βš™οΈ Configuration & .env Variables ------------------------------------- [](#️-configuration--env-variables) All `.env` keys map to values in `config/cybershield.php`. Below is the complete reference. ### πŸ”§ Core Settings [](#-core-settings) `.env` KeyDefaultDescription`CYBERSHIELD_ENABLED``true`Master on/off switch for the entire package.`CYBERSHIELD_GLOBAL_MODE``active``active` = block threats. `log` = log only (passive/monitor).### πŸ“¦ Module Toggles [](#-module-toggles) `.env` KeyDefaultControls`CYBERSHIELD_REQUEST_SECURITY_ENABLED``true`Request structure/header validation.`CYBERSHIELD_RATE_LIMITING_ENABLED``true`All rate limiting strategies.`CYBERSHIELD_BOT_PROTECTION_ENABLED``true`Bot detection & honeypot.`CYBERSHIELD_NETWORK_SECURITY_ENABLED``true`IP/Geo/TOR/Proxy filtering.`CYBERSHIELD_AUTH_SECURITY_ENABLED``true`Session & authentication hardening.`CYBERSHIELD_API_SECURITY_ENABLED``true`API Gateway (HMAC, Nonce, Keys).`CYBERSHIELD_THREAT_DETECTION_ENABLED``true`WAF & threat scoring engine.`CYBERSHIELD_MONITORING_ENABLED``true`Dashboard & forensic logging.### 🌐 Request Security [](#-request-security) `.env` KeyDefaultDescription`CYBERSHIELD_MAX_SIZE``5242880`Max request body size in bytes (5MB).`CYBERSHIELD_ENFORCE_HTTPS``true`Force HTTPS on all requests.`CYBERSHIELD_ALLOWED_ORIGINS``localhost`Comma-separated allowed CORS origins.### ⏱️ Rate Limiting [](#️-rate-limiting) `.env` KeyDefaultDescription`CYBERSHIELD_RATE_LIMIT_DRIVER``cache`Cache driver for counters (`cache`, `redis`).### 🌍 Network & Geo [](#-network--geo) `.env` KeyDefaultDescription`CYBERSHIELD_BLOCK_TOR``false`Block all TOR exit node traffic.### πŸ”₯ WAF & Signatures [](#-waf--signatures) `.env` KeyDefaultDescription`CYBERSHIELD_SIGNATURES_PATH``src/Signatures`Path to the JSON signature rules directory.`CYBERSHIELD_CUSTOM_SIGNATURES_PATH``null`Path to your own custom JSON signature files.`CYBERSHIELD_SIGNATURE_BLOCK_THRESHOLD``medium`Minimum severity to trigger a block: `low`, `medium`, `high`, `critical`.### πŸ”‘ API Security [](#-api-security) `.env` KeyDefaultDescription`CYBERSHIELD_API_VERIFY_SIGNATURE``true`Enable HMAC-SHA256 request signature check.`CYBERSHIELD_API_REPLAY_PROTECTION``true`Enable Nonce + Timestamp replay prevention.`CYBERSHIELD_API_AUTO_BLOCK``true`Automatically block abusive API clients.### πŸ“Š Logging [](#-logging) `.env` KeyDefaultDescription`CYBERSHIELD_LOGGING_ENABLED``true`Enable/disable all security logging.`CYBERSHIELD_LOG_CHANNEL``stack`Laravel log channel to write security events to.`CYBERSHIELD_LOG_FORMAT`See configFormat string for log entries.`CYBERSHIELD_LOG_ROTATION``daily`Log rotation strategy: `daily`, `weekly`.`CYBERSHIELD_LOG_MAX_SIZE``5242880`Max log file size in bytes (5MB).### πŸ“‹ Full `.env` Template [](#-full-env-template) ``` # ─── CyberShield Core ──────────────────────────────────────────────────────── CYBERSHIELD_ENABLED=true CYBERSHIELD_GLOBAL_MODE=active # active | log # ─── Module Toggles ────────────────────────────────────────────────────────── CYBERSHIELD_REQUEST_SECURITY_ENABLED=true CYBERSHIELD_RATE_LIMITING_ENABLED=true CYBERSHIELD_BOT_PROTECTION_ENABLED=true CYBERSHIELD_NETWORK_SECURITY_ENABLED=true CYBERSHIELD_AUTH_SECURITY_ENABLED=true CYBERSHIELD_API_SECURITY_ENABLED=true CYBERSHIELD_THREAT_DETECTION_ENABLED=true CYBERSHIELD_MONITORING_ENABLED=true # ─── Request Security ──────────────────────────────────────────────────────── CYBERSHIELD_MAX_SIZE=5242880 # 5MB in bytes CYBERSHIELD_ENFORCE_HTTPS=true CYBERSHIELD_ALLOWED_ORIGINS=localhost,yourdomain.com # ─── Network & Geo ─────────────────────────────────────────────────────────── CYBERSHIELD_BLOCK_TOR=false # ─── WAF / Signatures ──────────────────────────────────────────────────────── CYBERSHIELD_SIGNATURES_PATH= # leave blank for default CYBERSHIELD_CUSTOM_SIGNATURES_PATH= # optional: your custom rules CYBERSHIELD_SIGNATURE_BLOCK_THRESHOLD=medium # low | medium | high | critical # ─── API Security ──────────────────────────────────────────────────────────── CYBERSHIELD_API_VERIFY_SIGNATURE=true CYBERSHIELD_API_REPLAY_PROTECTION=true CYBERSHIELD_API_AUTO_BLOCK=true # ─── Rate Limiting ─────────────────────────────────────────────────────────── CYBERSHIELD_RATE_LIMIT_DRIVER=cache # cache | redis # ─── Logging ───────────────────────────────────────────────────────────────── CYBERSHIELD_LOGGING_ENABLED=true CYBERSHIELD_LOG_CHANNEL=stack CYBERSHIELD_LOG_ROTATION=daily CYBERSHIELD_LOG_MAX_SIZE=5242880 ``` --- πŸ“ Folder Structure ------------------ [](#-folder-structure) ``` laravel-cybershield/ β”œβ”€β”€ src/ β”‚ β”œβ”€β”€ Blade/ β”‚ β”‚ └── SecurityDirectives.php # 100+ Blade @secure* directives β”‚ β”‚ β”‚ β”œβ”€β”€ Console/ β”‚ β”‚ └── Commands/ β”‚ β”‚ β”œβ”€β”€ BaseSecurityCommand.php # Shared UI/output helpers for commands β”‚ β”‚ β”œβ”€β”€ DynamicScannerCommand.php# Dynamic behavioral scan command β”‚ β”‚ β”œβ”€β”€ ListMiddlewareCommand.php# Lists all 200 registered middleware β”‚ β”‚ └── SecurityScanCommand.php # Main `security:scan` command β”‚ β”‚ β”‚ β”œβ”€β”€ Core/ β”‚ β”‚ β”œβ”€β”€ SecurityKernel.php # Orchestrates the security pipeline β”‚ β”‚ β”œβ”€β”€ ThreatEngine.php # IP threat scoring & quarantine logic β”‚ β”‚ └── WAFEngine.php # Signature matching & payload inspection β”‚ β”‚ β”‚ β”œβ”€β”€ Helpers/ β”‚ β”‚ └── security_helpers.php # 60+ global PHP helper functions β”‚ β”‚ β”‚ β”œβ”€β”€ Http/ β”‚ β”‚ └── Middleware/ # 200+ modular middleware guards β”‚ β”‚ β”œβ”€β”€ FirewallMiddleware.php # Primary WAF entry point (global) β”‚ β”‚ β”œβ”€β”€ DetectBotMiddleware.php β”‚ β”‚ β”œβ”€β”€ IpRateLimiterMiddleware.php β”‚ β”‚ └── ... (200+ total) β”‚ β”‚ β”‚ β”œβ”€β”€ Logging/ β”‚ β”‚ └── LogWriter.php # Structured file + DB logger β”‚ β”‚ β”‚ β”œβ”€β”€ MalwareScanner/ β”‚ β”‚ └── MalwareScanner.php # Static analysis for malware patterns β”‚ β”‚ β”‚ β”œβ”€β”€ Models/ β”‚ β”‚ └── ThreatLog.php # Eloquent model for security_logs table β”‚ β”‚ β”‚ β”œβ”€β”€ Monitoring/ β”‚ β”‚ └── ... # Dashboard data aggregation services β”‚ β”‚ β”‚ β”œβ”€β”€ Providers/ β”‚ β”‚ └── CyberShieldServiceProvider.php # Service registration & boot β”‚ β”‚ β”‚ β”œβ”€β”€ RateLimiting/ β”‚ β”‚ └── AdvancedRateLimiter.php # Linear/Exponential/Fibonacci engine β”‚ β”‚ β”‚ β”œβ”€β”€ Security/ β”‚ β”‚ β”œβ”€β”€ NetworkGuard.php # IP/CIDR/Geo filtering β”‚ β”‚ β”œβ”€β”€ DatabaseIntrusionDetector.php# DB-level injection monitoring β”‚ β”‚ └── Project/ β”‚ β”‚ └── Rules/ # 11 static analysis rule engines β”‚ β”‚ β”œβ”€β”€ MalwareRule.php β”‚ β”‚ β”œβ”€β”€ SqlInjectionRule.php β”‚ β”‚ β”œβ”€β”€ XssRule.php β”‚ β”‚ β”œβ”€β”€ ConfigRule.php β”‚ β”‚ β”œβ”€β”€ DependencyRule.php β”‚ β”‚ β”œβ”€β”€ ModelSecurityRule.php β”‚ β”‚ β”œβ”€β”€ FileUploadRule.php β”‚ β”‚ β”œβ”€β”€ BotDetectionRule.php β”‚ β”‚ β”œβ”€β”€ ApiSecurityRule.php β”‚ β”‚ β”œβ”€β”€ AuthSecurityRule.php β”‚ β”‚ └── InfrastructureRule.php β”‚ β”‚ β”‚ β”œβ”€β”€ Signatures/ β”‚ β”‚ └── *.json # WAF signature rule files (SQLi, XSS, etc.) β”‚ β”‚ β”‚ β”œβ”€β”€ config/ β”‚ β”‚ └── cybershield.php # Main configuration file β”‚ β”‚ β”‚ β”œβ”€β”€ resources/ β”‚ β”‚ └── views/ # Blade dashboard views β”‚ β”‚ β”‚ └── routes/ β”‚ └── web.php # Dashboard & API routes β”‚ β”œβ”€β”€ docs/ # Comprehensive documentation β”‚ β”œβ”€β”€ firewall.md β”‚ β”œβ”€β”€ bot-protection.md β”‚ β”œβ”€β”€ rate-limiting.md β”‚ β”œβ”€β”€ api-security.md β”‚ β”œβ”€β”€ helpers.md β”‚ β”œβ”€β”€ middleware.md β”‚ β”œβ”€β”€ blade-directives.md β”‚ β”œβ”€β”€ commands.md β”‚ └── ... (19 total docs) β”‚ β”œβ”€β”€ composer.json β”œβ”€β”€ phpunit.xml └── README.md ``` --- 🌍 Real-World Example: Securing a FinTech API -------------------------------------------- [](#-real-world-example-securing-a-fintech-api) This example demonstrates securing a payment processing API endpoint against the most common attack vectors. ### Scenario [](#scenario) A `POST /api/v1/transactions` endpoint processes financial transfers. It's a high-value target for: - Bot-driven credential stuffing - SQL injection to manipulate account balances - Replay attacks to process the same transaction twice - Resource exhaustion from heavy parallel requests ### Solution: The Full CyberShield Stack [](#solution-the-full-cybershield-stack) **Step 1: Route definition with layered middleware** ``` // routes/api.php use CyberShield\Http\Middleware\FirewallMiddleware; Route::middleware([ 'cybershield.block_blacklisted_ip', // Instant drop for known-bad IPs 'cybershield.detect_tor_network', // Block anonymized attackers 'cybershield.verify_api_key', // Validate X-API-KEY header 'cybershield.verify_api_signature', // HMAC-SHA256 request integrity 'cybershield.verify_api_nonce', // Prevent replay attacks 'cybershield.verify_api_timestamp', // Reject requests older than 60s 'cybershield.detect_sql_injection', // WAF: SQLi detection 'cybershield.api_rate_limiter', // Adaptive throttling 'cybershield.log_security_event', // Forensic audit trail ])->group(function () { Route::post('/api/v1/transactions', [TransactionController::class, 'store']); }); ``` **Step 2: Controller using helper functions** ``` // app/Http/Controllers/TransactionController.php class TransactionController extends Controller { public function store(Request $request): JsonResponse { // Check threat score before processing if (is_high_risk()) { block_current_ip('High risk score on financial endpoint'); return response()->json(['error' => 'Access denied.'], 403); } // Validate payload is not malicious $rawPayload = $request->getContent(); if (is_malicious_payload($rawPayload)) { log_threat_event('malicious_payload', ['endpoint' => 'transactions']); return response()->json(['error' => 'Invalid payload.'], 422); } // Verify HMAC signature from client $signature = $request->header('X-Signature'); $secret = config('services.payment_gateway.secret'); if (!verify_api_signature($rawPayload, $signature, $secret)) { return response()->json(['error' => 'Signature mismatch.'], 401); } // Mask PII in logs $logData = [ 'account' => mask_card($request->input('card_number')), 'email' => mask_email($request->input('email')), 'ip' => mask_ip(), ]; Log::info('Transaction processed', $logData); // Process the transaction... return response()->json(['status' => 'success']); } } ``` **Step 3: Secure Blade UI for the dashboard** ``` {{-- resources/views/transactions/index.blade.php --}} @secureAuth @secureThreatHigh ⚠️ Unusual activity detected on your account. Some features have been temporarily restricted. @endsecureThreatHigh Card on file: @secureMaskCard($user->card_number) Email: @secureMaskEmail($user->email) @secure2fa Make Transfer @else Enable 2FA to initiate transfers. @endsecure2fa @else Please log in to view transactions. @endsecureAuth @secureHoneypot {{ csrf_field() }} ``` **Step 4: Client-side API call (HMAC generation)** ``` // Example: Generating a signed API request (client SDK) $payload = json_encode(['amount' => 100, 'to' => 'ACC-9876']); $nonce = bin2hex(random_bytes(16)); $timestamp = time(); $secret = env('API_SECRET'); // Canonical string: METHOD + URL + PAYLOAD + TIMESTAMP + NONCE $canonical = 'POST' . '/api/v1/transactions' . $payload . $timestamp . $nonce; $signature = hash_hmac('sha256', $canonical, $secret); Http::withHeaders([ 'X-API-KEY' => env('API_KEY'), 'X-Signature' => $signature, 'X-Nonce' => $nonce, 'X-Timestamp' => $timestamp, 'Content-Type'=> 'application/json', ])->post('https://yourapp.com/api/v1/transactions', json_decode($payload, true)); ``` **Result**: This single endpoint is now protected against SQL injection, replay attacks, bot scraping, brute force, IP flooding, and unauthorized access β€” with full audit logs for every interaction. --- πŸ’Ž Benefits ---------- [](#-benefits) BenefitDetailπŸš€ **Near-Zero Overhead**Middleware chain adds `