PHPackages                             zappzarapp/security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation &amp; Sanitization](/categories/validation)
4. /
5. zappzarapp/security

ActiveLibrary[Validation &amp; Sanitization](/categories/validation)

zappzarapp/security
===================

Comprehensive PHP security library: CSP, Security Headers, CSRF, Cookies, Password Validation, Input Sanitization, Rate Limiting, SRI, and Audit Logging

v1.2.0(3w ago)012[4 issues](https://github.com/marcstraube/zappzarapp-php-security/issues)MITPHPPHP ^8.4CI passing

Since Feb 12Pushed 3w agoCompare

[ Source](https://github.com/marcstraube/zappzarapp-php-security)[ Packagist](https://packagist.org/packages/zappzarapp/security)[ Docs](https://github.com/marcstraube/zappzarapp-php-security)[ GitHub Sponsors](https://github.com/marcstraube)[ Fund](https://ko-fi.com/marcstraube)[ RSS](/packages/zappzarapp-security/feed)WikiDiscussions master Synced today

READMEChangelog (4)Dependencies (58)Versions (21)Used By (0)

⚡ zappzarapp/security
=====================

[](#-zappzarappsecurity)

[![Latest Version](https://camo.githubusercontent.com/e98ae95811ae411d391922ad490348f7db2090f6837ab49c69ded53ca0af526d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7a6170707a61726170702f73656375726974792e737667)](https://packagist.org/packages/zappzarapp/security)[![PHP Version](https://camo.githubusercontent.com/de2f882aef0760fdd4bf077c83f3b953e2fca6e791b738d82cfa07b2b462452a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f7a6170707a61726170702f73656375726974792e737667)](https://packagist.org/packages/zappzarapp/security)[![License](https://camo.githubusercontent.com/a8df98d333dae0647e1fc6a70944535c8eb62617ef4537d6173fe3425a98c483/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f7a6170707a61726170702f73656375726974792e737667)](https://packagist.org/packages/zappzarapp/security)[![CI](https://github.com/marcstraube/zappzarapp-php-security/actions/workflows/ci.yml/badge.svg)](https://github.com/marcstraube/zappzarapp-php-security/actions/workflows/ci.yml)[![Socket Badge](https://camo.githubusercontent.com/490b9f5363afe655b5088f1aa516c095664f65eae48548a15ed5c6600ef25f90/68747470733a2f2f62616467652e736f636b65742e6465762f636f6d706f7365722f7061636b6167652f7a6170707a61726170702f7365637572697479)](https://socket.dev/composer/package/zappzarapp/security)

Comprehensive PHP security library providing CSP, Security Headers, CSRF protection, Secure Cookies, Password Validation, Input Sanitization, Rate Limiting, SRI, and Audit Logging.

Highlights
----------

[](#highlights)

- **All-in-one** — 11 security modules in a single, composable package
- **Secure by default** — strict CSP, no `unsafe-*`, HTTPS-first
- **Framework-agnostic** — works with any PHP 8.4+ application
- **Immutable &amp; type-safe** — readonly classes, enums, `with*()` API
- **Quality-backed** — PHPStan Level 8, Psalm Level 1, 100% Mutation Score, Deptrac architecture enforcement
- **PSR-compatible** — PSR-3 (Logging), PSR-15 (Middleware), PSR-18 (HTTP Client)

Modules
-------

[](#modules)

ModuleDescriptionKey Classes**CSP**Content Security Policy header building`CspDirectives`, `HeaderBuilder`, `NonceGenerator`**Headers**Security headers (HSTS, Permissions-Policy, etc.)`SecurityHeaders`, `SecurityHeadersBuilder`**CSRF**Cross-Site Request Forgery protection`CsrfProtection`, `CsrfConfig`**Cookie**Secure cookie handling`SecureCookie`, `CookieBuilder`, `CookieOptions`**Password**Password validation and hashing`PasswordPolicy`, `PwnedPasswordChecker`, `PepperedPasswordHasher`**Sanitization**Input sanitization (HTML, SQL, URI, Path)`HtmlSanitizer`, `UriSanitizer`, `PathValidator`**RateLimiting**Rate limiting with multiple algorithms`DefaultRateLimiter`, `RateLimitConfig`**SRI**Subresource Integrity hash generation`SriHashGenerator`, `IntegrityAttribute`**Analyzer**Security header analysis and auditing`SecurityHeaderAnalyzer`, `AnalysisResult`**Middleware**PSR-15 middleware for drop-in framework integration`SecurityHeadersMiddleware`, `CspMiddleware`, `CsrfMiddleware`, `DoubleSubmitCsrfMiddleware`, `RateLimitMiddleware`, `CorsMiddleware`**Logging**Security event audit logging`SecurityAuditLogger`, `SecurityEvent`Requirements
------------

[](#requirements)

- PHP ^8.4
- `ext-dom`
- `ext-libxml`
- `ext-sodium`

Installation
------------

[](#installation)

```
composer require zappzarapp/security
```

Quick Start
-----------

[](#quick-start)

### Security Headers

[](#security-headers)

```
use Zappzarapp\Security\Headers\Builder\SecurityHeadersBuilder;

$headers = SecurityHeadersBuilder::recommended()->build();
foreach ($headers as $name => $value) {
    header("{$name}: {$value}");
}
```

### CSP with Nonces

[](#csp-with-nonces)

```
use Zappzarapp\Security\Csp\HeaderBuilder;
use Zappzarapp\Security\Csp\Directive\CspDirectives;
use Zappzarapp\Security\Csp\Nonce\NonceGenerator;

$generator = new NonceGenerator();
$csp = HeaderBuilder::build(CspDirectives::strict(), $generator);
header("Content-Security-Policy: {$csp}");

$nonce = $generator->get();
echo "console.log('Safe!');";
```

### CSRF Protection

[](#csrf-protection)

```
use Zappzarapp\Security\Csrf\CsrfProtection;
use Zappzarapp\Security\Csrf\Storage\SessionCsrfStorage;

$csrf = new CsrfProtection(new SessionCsrfStorage());

// Generate token for form
$token = $csrf->generateToken();
echo '';

// Validate on submission
if (!$csrf->validateToken($_POST['_token'])) {
    throw new Exception('CSRF validation failed');
}
```

### Input Sanitization

[](#input-sanitization)

```
use Zappzarapp\Security\Sanitization\Html\HtmlSanitizer;
use Zappzarapp\Security\Sanitization\Path\PathValidator;

// Sanitize HTML (removes dangerous tags/attributes)
$sanitizer = new HtmlSanitizer();
$safe = $sanitizer->sanitize($userInput);

// Validate file paths (prevent directory traversal)
$validator = new PathValidator('/var/www/uploads');
if (!$validator->isValid($userPath)) {
    throw new Exception('Invalid path');
}
```

See the [documentation](docs/) for detailed examples of all modules.

Documentation
-------------

[](#documentation)

Each module has detailed API documentation with class references, configuration options, and code examples:

ModuleDescription[CSP](docs/csp.md)Content Security Policy with nonces[Headers](docs/headers.md)HSTS, COOP, COEP, CORP, Permissions[CSRF](docs/csrf.md)Token patterns and validation[Cookie](docs/cookie.md)Secure cookie handling[Password](docs/password.md)Hashing, policies, breach detection[Sanitization](docs/sanitization.md)HTML, URI, path sanitization[Rate Limiting](docs/rate-limiting.md)Token bucket, sliding window[SRI](docs/sri.md)Subresource integrity hashes[Analyzer](docs/analyzer.md)Security header auditing[Middleware](docs/middleware.md)PSR-15 middleware[Logging](docs/logging.md)Security audit logging[Glossary](docs/glossary.md)Security terminology referenceVersioning
----------

[](#versioning)

This library follows [Semantic Versioning 2.0.0](https://semver.org/).

All classes, interfaces, and methods in the `Zappzarapp\Security` namespace are considered public API unless marked with `@internal`. Breaking changes only happen in major versions, with deprecation warnings at least one minor version before removal.

Releases are automated via [release-please](https://github.com/googleapis/release-please) and GPG-signed. See [CHANGELOG.md](CHANGELOG.md) for release history.

Security
--------

[](#security)

See [SECURITY.md](SECURITY.md) for vulnerability reporting and security considerations.

Contributing
------------

[](#contributing)

See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and contribution guidelines.

License
-------

[](#license)

MIT License - see [LICENSE](LICENSE) file for details.

###  Health Score

45

—

FairBetter than 91% of packages

Maintenance92

Actively maintained with recent releases

Popularity7

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity60

Established project with proven stability

 Bus Factor1

Top contributor holds 53.2% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~39 days

Total

4

Last Release

23d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/2251d276d4ad2322f19fb6b755a30a7280450b26534a8b1137cf8c2680daf8da?d=identicon)[marcstraube](/maintainers/marcstraube)

---

Top Contributors

[![marcstraube](https://avatars.githubusercontent.com/u/52066916?v=4)](https://github.com/marcstraube "marcstraube (25 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (19 commits)")[![marcstraube-release-bot[bot]](https://avatars.githubusercontent.com/u/52066916?v=4)](https://github.com/marcstraube-release-bot[bot] "marcstraube-release-bot[bot] (2 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (1 commits)")

---

Tags

csphstsinput-sanitizationphpphp84rate-limitingsecuritysrisecuritycorspasswordheaderscspcontent-security-policyxsscsrfrate limitingphp8hstssanitizationsrisubresource-integrityaudit-logging

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan, Psalm, Rector

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/zappzarapp-security/health.svg)

```
[![Health](https://phpackages.com/badges/zappzarapp-security/health.svg)](https://phpackages.com/packages/zappzarapp-security)
```

###  Alternatives

[paragonie/csp-builder

Easily add and update Content-Security-Policy headers for your project

5413.0M26](/packages/paragonie-csp-builder)[spatie/laravel-csp

Add CSP headers to the responses of a Laravel app

86611.1M25](/packages/spatie-laravel-csp)[aidantwoods/secureheaders

A PHP class aiming to make the use of browser security features more accessible.

434731.2k2](/packages/aidantwoods-secureheaders)[xemlock/htmlpurifier-html5

HTML5 support for HTML Purifier

1053.2M18](/packages/xemlock-htmlpurifier-html5)[siriusphp/validation

Data validation library. Validate arrays, array objects, domain models etc using a simple API. Easily add your own validators on top of the already dozens built-in validation rules

180773.7k14](/packages/siriusphp-validation)[progsmile/request-validator

Simple PHP Request Validator

37114.5k1](/packages/progsmile-request-validator)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
