PHPackages vendor-shield/laravel-shield - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. vendor-shield/laravel-shield ActiveLibrary[Security](/categories/security) vendor-shield/laravel-shield ============================ Enterprise Runtime Security Platform for Laravel Applications 043PHPCI failing Since Apr 22Pushed 1mo agoCompare [ Source](https://github.com/vatsrajatkjha/rcv-security-shield)[ Packagist](https://packagist.org/packages/vendor-shield/laravel-shield)[ RSS](/packages/vendor-shield-laravel-shield/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependenciesVersions (1)Used By (0) Laravel Shield ============== [](#laravel-shield) > Runtime security layer for Laravel applications (MIT, fully open source). Laravel Shield provides in-app runtime protection for Laravel: request inspection, upload hardening, SQL/query monitoring, queue/auth/cache/tenant safeguards, exception intelligence, audit logging, and operational security tooling. Shield persists two complementary streams: - `shield_audit_logs` for immutable audit events - `shield_threat_logs` for normalized actionable threat records with stable fingerprints --- Why Laravel Shield ------------------ [](#why-laravel-shield) Traditional controls (validation-only rules or perimeter filters) often miss runtime-context attacks. Shield runs inside Laravel's execution flow, where it can use request, auth, DB, queue, and tenant context together. ### Core design principles [](#core-design-principles) - Framework-safe integration (`ServiceProvider`, middleware, events, `DB::listen`) - Fail-safe behavior for guard/event/audit paths - Guard-based architecture with global and per-guard modes - Bounded synchronous checks with optional async analysis - Structured audit logging with pluggable drivers --- Security Coverage ----------------- [](#security-coverage) AreaGuard / ComponentCapabilityHTTP`HttpGuard`Payload/header anomaly checks, request scoringDatabase`DatabaseGuard`SQL anomaly checks, raw query detection, slow query flaggingUploads`UploadGuard`Extension/MIME/magic-byte checks, content scanning, archive inspectionQueue`QueueGuard`Payload inspection, allow/block lists, failed-job pattern analysisAuth`AuthGuard`Brute-force and session anomaly heuristicsCache`CacheGuard`Key validation, serialization-risk checks, size anomaly checksTenant`TenantGuard`Tenant isolation checks with configurable resolverExceptions`ExceptionGuard`Sensitive-data scrubbing and anomaly classificationPolicy`PolicyEngine`Runtime rule evaluationAudit`AuditLogger`Structured event logging (`database`, `log`, `null`)Intelligence`IntelligenceClient`Optional external intelligence integration--- Installation ------------ [](#installation) ``` composer require vendor-shield/laravel-shield ``` ### Install package assets [](#install-package-assets) ``` php artisan shield:install ``` `shield:install` can: - publish `config/shield.php` - run package migrations - create Shield storage directories for upload workflows --- Quick Start ----------- [](#quick-start) ### 1) Verify health [](#1-verify-health) ``` php artisan shield:health ``` ### 2) Start safely in monitor mode [](#2-start-safely-in-monitor-mode) ``` SHIELD_MODE=monitor ``` ### 3) Enforce high-value guards after tuning [](#3-enforce-high-value-guards-after-tuning) ``` SHIELD_HTTP_MODE=enforce SHIELD_UPLOAD_MODE=enforce SHIELD_DB_MODE=monitor ``` --- Runtime Modes ------------- [](#runtime-modes) ModeBehavior`enforce`Actively block/reject suspicious activity`monitor`Observe and log without blocking`learning`Capture behavior for baseline tuning`disabled`Guard is inactiveGlobal mode: ``` SHIELD_MODE=monitor ``` Per-guard override example: ``` SHIELD_UPLOAD_MODE=enforce SHIELD_QUEUE_GUARD_MODE=monitor ``` --- Commands -------- [](#commands) CommandDescription`php artisan shield:install`Publish config, run migrations, create storage directories`php artisan shield:health`Report runtime, guards, DB, storage, and intelligence status`php artisan shield:baseline`Generate JSON baseline snapshot`php artisan shield:runtime:enable`Toggle Shield globally or specific guard via `.env``php artisan shield:compliance-report`Generate experimental SOC2 / ISO27001 / GDPR reportExamples: ``` php artisan shield:baseline --output=storage/shield/baseline.json php artisan shield:runtime:enable --guard=upload php artisan shield:runtime:enable --disable --guard=tenant php artisan shield:compliance-report --type=soc2 --from=2026-01-01 --to=2026-01-31 ``` --- Configuration ------------- [](#configuration) Primary file: `config/shield.php` ### Global controls [](#global-controls) ``` 'enabled' => env('SHIELD_ENABLED', true), 'mode' => env('SHIELD_MODE', 'monitor'), ``` ### Upload hardening highlights [](#upload-hardening-highlights) ``` 'guards' => [ 'upload' => [ 'max_file_size' => env('SHIELD_UPLOAD_MAX_SIZE', 52428800), 'compare_client_mime' => env('SHIELD_UPLOAD_COMPARE_CLIENT_MIME', true), 'block_archives' => env('SHIELD_UPLOAD_BLOCK_ARCHIVES', true), 'full_content_scan' => env('SHIELD_UPLOAD_FULL_SCAN', true), 'polyglot_detection' => env('SHIELD_UPLOAD_POLYGLOT_DETECT', true), ], ], ``` ### Audit driver [](#audit-driver) ``` SHIELD_AUDIT_DRIVER=database # or: log, null ``` ### Threat driver [](#threat-driver) ``` SHIELD_THREATS_DRIVER=database # or: log, null ``` --- Architecture Overview --------------------- [](#architecture-overview) ``` flowchart TD incoming[IncomingRequest] --> middleware[ShieldMiddleware] middleware --> http[HttpGuard] middleware --> upload[UploadGuard] middleware --> app[LaravelApp] app --> dbListen[DB::listen] dbListen --> dbGuard[DatabaseGuard] app --> queueEv[QueueEvents] queueEv --> queueGuard[QueueGuard] app --> cacheOps[CacheOperations] cacheOps --> cacheGuard[CacheGuard] app --> exceptionDecor[ExceptionHandlerDecorator] exceptionDecor --> exGuard[ExceptionGuard] http --> audit[AuditLogger] upload --> audit dbGuard --> audit queueGuard --> audit cacheGuard --> audit exGuard --> audit ``` Loading --- Production Rollout ------------------ [](#production-rollout) ### Phase 1: Observe [](#phase-1-observe) - keep `SHIELD_MODE=monitor` - inspect audit output and guard noise ### Phase 2: Selective enforcement [](#phase-2-selective-enforcement) - enable `enforce` for HTTP + Upload first - keep DB/Queue/Auth/Cache in monitor while tuning ### Phase 3: Broaden enforcement [](#phase-3-broaden-enforcement) - progressively enable enforcement by guard - retain rollback path (`shield:runtime:enable --disable --guard=...`) --- Testing and Quality ------------------- [](#testing-and-quality) ``` composer lint composer analyse composer test ``` --- Security Boundaries ------------------- [](#security-boundaries) Shield improves runtime security posture, but does not replace: - infrastructure firewalls / CDN security controls - secure coding and code review practices - malware sandbox/CDR systems for high-risk upload pipelines - business-specific authorization design Use Shield as one layer in defense-in-depth. --- Compatibility ------------- [](#compatibility) ComponentSupportedPHP`^8.2`Laravel`11.x`, `12.x`ContextsHTTP, CLI, queue workers--- Open Source ----------- [](#open-source) - License: MIT - No feature tiers - No license key required --- Author ------ [](#author) - Rajat Kumar Jha - RCV Technologies --- Contributing ------------ [](#contributing) Contributions are welcome. Include: - tests for behavior changes - docs updates for config/command/public API updates - migration notes when behavior is changed Contributor docs: - `CONTRIBUTING.md` - `SECURITY.md` - `CHANGELOG.md` Recommended local workflow: ``` composer install composer lint composer analyse composer test ``` ### Health Score 23 — LowBetter than 26% of packages Maintenance60 Regular maintenance activity Popularity11 Limited adoption so far Community6 Small or concentrated contributor base Maturity11 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/43655365328123ae8e7b9e17c3ba180a271463c2ce0d3980bb76de589c4e9c27?d=identicon)[vatsrajatkjha](/maintainers/vatsrajatkjha) --- Top Contributors [![vatsrajatkjha](https://avatars.githubusercontent.com/u/188443953?v=4)](https://github.com/vatsrajatkjha "vatsrajatkjha (13 commits)") ### Embed Badge ![Health badge](/badges/vendor-shield-laravel-shield/health.svg) ``` [![Health](https://phpackages.com/badges/vendor-shield-laravel-shield/health.svg)](https://phpackages.com/packages/vendor-shield-laravel-shield) ``` ### Alternatives [mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k18.0M133](/packages/mews-purifier)[paragonie/ecc PHP Elliptic Curve Cryptography library 24772.0k35](/packages/paragonie-ecc)[fof/recaptcha Increase your forum's security with Google reCAPTCHA 1436.9k](/packages/fof-recaptcha)[enupal/backup Fully integrated Backup solution for Craft CMS 1612.5k1](/packages/enupal-backup)[thomaswelton/laravel-mcrypt-faker Allows installation of Laravel where the PHP Mcrypt extension is not available. Provides encryption using OpenSSL, or by disabling encryption entierly. 114.0k](/packages/thomaswelton-laravel-mcrypt-faker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)