Download the PHP package amreljako/secure-core without Composer
On this page you can find all versions of the php package amreljako/secure-core. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download amreljako/secure-core
More information about amreljako/secure-core
Files in amreljako/secure-core
Package secure-core
Short Description Advanced Security Hardener for Laravel Applications
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package secure-core
SecureCore for Laravel
SecureCore is an advanced security hardening framework designed for Laravel applications. It provides a multi-layered defense strategy to protect sensitive data, mitigate API vulnerabilities (like BOLA), and prevent automated infrastructure scanning through intelligent intrusion detection.
Installation
Install the package via composer:
Publish the configuration file:
Key Features & Implementation
1. Transparent Database Encryption
Protect PII (Personally Identifiable Information) by encrypting model attributes at rest. SecureCore automatically handles encryption/decryption and includes safety checks to prevent errors with legacy non-encrypted data.
Usage:
Add the HasSecureAttributes trait to your model and define the $encryptable array.
2. Auto-BOLA Protection (ID Obfuscation)
Mitigates Broken Object Level Authorization (BOLA) by masking internal Database IDs using Hashids. This prevents attackers from guessing or enumerating resource IDs (e.g., changing /api/orders/1 to /api/orders/vj8k2p).
Usage:
Apply the SecureResource trait to your model.
Important: Generating Secure URLs
To ensure the ID is obfuscated in your routes, you must pass the entire model instance to the route() helper. If you pass the ID explicitly, Laravel will bypass the secure encoding.
Incorrect (Exposes the raw ID):
Correct (Generates secure Hashid):
Security Note: By passing the model instance, Laravel automatically calls the getRouteKey() method provided by our trait, ensuring that only the secure hash is exposed to the end-user.
3. API Request Signature Verification
Ensures data integrity for sensitive endpoints. This requires an X-Secure-Signature header, which is an HMAC-SHA256 hash of the payload using the APP_KEY.
Implementation:
4. Automated Production Shield
When APP_ENV is set to production, SecureCore enforces strict security defaults:
- Forced Debug Disable: Overrides
APP_DEBUGtofalse. - Environment Scrubbing: Masks sensitive ENV variables in logs and error reports.
- Server Masking: Strips
X-Powered-ByandServerheaders to reduce information exposure.
Security Headers (Automatic)
The following headers are injected into every response to enforce browser-level security:
-
Strict-Transport-Security: max-age=31536000; includeSubDomains
-
Content-Security-Policy: upgrade-insecure-requests
-
X-Frame-Options: SAMEORIGIN
-
X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
Configuration Summary
The package behavior can be fine-tuned via config/secure-core.php. Environment variables available:
License
The MIT License (MIT). Please see the License File for more information.
Developed by Amr Elsayed (https://github.com/amreljako)
