Download the PHP package perimeterx/php-sdk without Composer

On this page you can find all versions of the php package perimeterx/php-sdk. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of perimeterx/php-sdk

Informations about the package php-sdk

Build Status

image

#

PerimeterX PHP SDK

Latest stable version: v3.10.2

Table of Contents

Dependencies

Installation

Installation can be done using Composer.

It can also be done by downloading the sources for this repository, and running composer install.

Basic Usage Example

Upgrading

Download the new version from packagist.

For more information contact PerimeterX Support.

Configuration Options

Configuring Required Parameters

Configuration options are set on the $perimeterxConfig variable.

Required parameters:

All parameters are obtainable via the PerimeterX Portal. (Applications and Policies pages)

Changing the Minimum Score for Blocking

Default blocking value: 100

Custom Blocking Actions

In order to customize the action performed on a valid block value, use the 'custom_block_handler' option, and provide a user-defined function.

The custom handler should contain the action to be taken, when a visitor receives a score higher than the 'blocking_score' value. Common customization options are presenting of a reCAPTCHA, or supplying a custom branded block page.

Default block behaviour: return an HTTP status code of 403 and serve the PerimeterX block page.

Examples

Serving a Custom HTML Page

Customizing Default Block Pages

Custom logo insertion Adding a custom logo to the blocking page is by providing the pxConfig a key custom_logo , the logo will be displayed at the top div of the the block page The logo's max-heigh property would be 150px and width would be set to auto

The key custom_logo expects a valid URL address such as https://s.perimeterx.net/logo.png

Example below:

Custom JS/CSS

The block page can be modified with a custom CSS by adding to the pxConfig the key css_ref and providing a valid URL to the css In addition there is also the option to add a custom JS file by adding js_ref key to the pxConfig and providing the JS file that will be loaded with the block page, this key also expects a valid URL

On both cases if the URL is not a valid format an exception will be thrown

Example below:

Side notes: Custom logo/js/css can be added together

No Blocking, Monitor Only

Extracting Recomended Action

Module Mode

Default mode: Perimeterx::$MONITOR_MODE

Possible Values:

Extracting the Real User IP Address

Note: IP extraction, according to your network setup, is very important. It is common to have a load balancer/proxy on top of your applications, in which case the PerimeterX module will send the system's internal IP as the user's. In order to properly perform processing and detection on server-to-server calls, PerimeterX module needs the real user's IP.

The user's IP can be passed to the PerimeterX module using a custom user defined function on the $perimeterxConfig variable, or by passing a list of headers to extract the real IP from, ordered by priority.

Default with no predefined header: $_SERVER['REMOTE_ADDR']

Custom URI

The URI can be returned to the PerimeterX module, using a custom user function, defined on the $perimeterxConfig variable.

Default: $_SERVER['REQUEST_URI']

Filter sensitive headers

A list of sensitive headers can be configured to prevent specific headers from being sent to PerimeterX servers (lower case header names). Filtering cookie headers for privacy is set by default, and can be overridden on the $perimeterxConfig variable.

Default: cookie, cookies

Sensitive Routes

List of routes prefix. The Perimeterx module will always match request uri by this prefix list and if match was found will create a server-to-server call for, even if the cookie score is low and valid.

Default: None

API Timeouts

Note: Controls the timeouts for PerimeterX requests. The API is called when a Risk Cookie does not exist, or is expired or invalid.

The API Timeout, in seconds (float), to wait for the PerimeterX server API response.

Default: 1

The API Connection Timeout, in seconds (float), to wait for the connection to the PerimeterX server API.

Default: 1

Activities API Timeouts

Note: Controls the timeouts for PerimeterX activities requests.

The activities API Timeout, in seconds (float), to wait for the PerimeterX server API response.

Default: 1

The activities API Connection Timeout, in seconds (float), to wait for the connection to the PerimeterX server API.

Default: 1

First Party

A boolean flag to enable/disable first party mode.

Default: true

First Party for Code Defender

A boolean flag to enable/disable first party mode for Code Defender.

Default: false

Send Page Activities

A boolean flag to enable or disable sending of activities and metrics to PerimeterX on each page request. Enabling this feature will provide data that populates the PerimeterX portal with valuable information, such as the amount of requests blocked and additional API usage statistics.

Default: false

Additional Page Activity Handler

Adding an additional activity handler is done by setting 'additional_activity_handler' with a user defined function on the '$perimeterxConfig' variable. The 'additional_activity_handler' function will be executed before sending the data to the PerimeterX portal.

Default: Only send activity to PerimeterX as controlled by '$perimeterxConfig'.

Additional Activity Handler Usage Examples

Log Activity

Send Activity to statsd

Data-Enrichment

User can use the additional activity handler to retrieve information for the request using the data-enrichment object. first, validate the data enrichment object is verified, then you can access it's properties.

Default: false

Enrich Custom Params

With the enrich_custom_params function you can add up to 10 custom parameters to be sent back to PerimeterX servers. When set, the function is called before seting the payload on every request to PerimetrX servers. The parameters should be passed according to the correct order (1-10).

Default: not set

Enrich Custom Params Usage Examples

Login Credentials Extraction

This feature extracts credentials (hashed username and password) from requests and sends them to PerimeterX as additional info in the risk api call. The feature can be toggled on and off, and may be set for any number of unique paths. The settings are adjusted by modifying the px_login_credentials_extraction_enabled and px_login_credentials_extraction properties on the $perimeterxConfig array.

If credentials are found to be compromised, the field px-compromised-credentials will be added to the $_REQUEST object with the value "1". You may configure the name of this field with the px_compromised_credentials_header configuration.

Default:

px_login_credentials_extraction_enabled: false

px_login_credentials_extraction: []

px_compromised_credentials_header: "px-compromised-credentials"

It is also possible to define a custom callback to extract the username and password. The function should return an associative array with the keys user and pass. If extraction is unsuccessful, the function should return null.

Additional S2S Activity

To enhance detection on login credentials extraction endpoints, the following additional information is sent to PerimeterX via an additional_s2s activity:

There are a number of different possible ways to report the success or failure of the login attempt. If left empty, the login successful status will always be reported as false.

Default: Empty

Status

Provide a status or array of statuses that represent a successful login. If a response's status code matches the provided value or one of the values in the provided array, the login successful status is set to true. Otherwise, it's set to false.

Note: To define a range of statuses, use the custom reporting method.

Default Values

px_login_successful_status: 200

Header

Provide a header name and value. If the header exists on the response (accessed via the headers_list() function ) and matches the provided value, the login successful status is set to true. If the header is not found on the response, or if the header value does not match the value in the configuration, the login successful status is set to false.

Default Values

px_login_successful_header_name: x-px-login-successful

px_login_successful_header_value: 1

Custom

Provide a custom callback that returns a boolean indicating if the login was successful. The value of the configuration field can be either an anonymous function or the name of the defined function as a string.

Default Values

px_login_successful_custom_callback: null

Raw Username

When enabled, the raw username used for logins on login credentials extraction endpoints will be reported to PerimeterX if (1) the credentials were identified as compromised, and (2) the login was successful as reported via the property above.

Default: false

Manually Sending Additional S2S Activity

By default, this additional_s2s activity is sent automatically. If it is preferable to send this activity manually, it's possible to disable automatic sending by configuring the value of px_automatic_additional_s2s_activity_enabled to false.

*Default Value: true

The activity can then be sent manually by invoking the function $px->pxSendAdditionalS2SActivity(), which accepts the following parameters:

Parameter Name Type Required Default Value
$responseStatusCode int yes n/a
$wasLoginSuccessful bool no null

Example Usage

If further flexibility is needed, a JSON representation of the additional_s2s activity can be added to the $_REQUEST array. This activity can then be sent to another server if needed, parsed, modified, and sent via XHR POST as a JSON to PerimeterX. To do this, disable automatic sending and enable the additional activity header configuration.

Default Value

px_additional_s2s_activity_header_enabled: false

The activity payload and URL destination will then be available by accessing $_REQUEST['px-additional-activity'] and $_REQUEST['px-additional-activity-url'], respectively.

Logging

Log messages via an implementation of \Psr\Log\LoggerInterface (see PSR-3 for full interface specification). By default, an instance of \Perimeterx\PerimeterxLogger is used which will log all message via PHP's error_log function.

Default: \Perimeterx\PerimeterxLogger instance

Debug Mode

Enables debug logging mode.

Default: false

Once enabled, debug messages coming out from PerimeterX should be in the following template:

[PerimeterX - DEBUG][APP_ID] - MESSAGE - for debug messages

[PerimeterX - ERROR][APP_ID] - MESSAGE - for error messages

An example log for an high score cookie:

Guzzle Client Handler

Allows setting a handler to the Guzzle client object.

Default: false

Custom Block URL

You can customize the block page to meet branding and message requirements by specifying the URL of the block page HTML file. The enforcer will redirect to the block page defined in the custom_block_url variable. The defined block page will display a 307 (Temporary Redirect) HTTP Response Code.

Default: not set

Advanced Blocking Response Flag

Enables/disables the Advanced Blocking Response functionality.

Default: false

Return Response Flag

Enables/disables the ability to return the response back (useful for frameworks like Symfony) instead of running die().

Default: false

Defer Activities Sending

Specifies if sending page activities should be deferred until shutdown or not.

Default: true

Test Block Flow on Monitoring Mode

Allows you to test an enforcer’s blocking flow while you are still in Monitor Mode.

When the header name is set (eg. x-px-block) and the value is set to 1, when there is a block response (for example from using a User-Agent header with the value of PhantomJS/1.0) the Monitor Mode is bypassed and full block mode is applied. If one of the conditions is missing you will stay in Monitor Mode. This is done per request. To stay in Monitor Mode, set the header value to 0.

The Header name is configurable using the bypass_monitor_header property.

Default: not set

Advanced Blocking Response

In special cases, (such as XHR post requests) a full Captcha page render might not be an option. In such cases, using the Advanced Blocking Response returns a JSON object continaing all the information needed to render your own Captcha challenge implementation, be it a popup modal, a section on the page, etc. The Advanced Blocking Response occurs when a request contains the Accept header with the value of application/json. A sample JSON response appears as follows:

Once you have the JSON response object, you can pass it to your implementation (with query strings or any other solution) and render the Captcha challenge.

In addition, you can add the _pxOnCaptchaSuccess callback function on the window object of your Captcha page to react according to the Captcha status. For example when using a modal, you can use this callback to close the modal once the Captcha is successfullt solved.
An example of using the _pxOnCaptchaSuccess callback is as follows:

To enable Advanced Blocking Response see the Advanced Blocking Response Flag section.

For details on how to create a custom Captcha page, refer to the documentation

Additional Information

URI Delimiters

PerimeterX processes URI paths with general- and sub-delimiters according to RFC 3986. General delimiters (e.g., ?, #) are used to separate parts of the URI. Sub-delimiters (e.g., $, &) are not used to split the URI as they are considered valid characters in the URI path.

Contributing

The following steps are welcome when contributing to our project.

Fork/Clone

First and foremost, Create a fork of the repository, and clone it locally. Create a branch on your fork, preferably using a self descriptive branch name.

Code/Run

Help improve our project by implementing missing features, adding capabilites or fixing bugs.

To run the code, simply follow the steps in the installation guide. Grab the keys from the PerimeterX Portal, and try refreshing your page several times continously. If no default behaviours have been overriden, you should see the PerimeterX block page. Solve the CAPTCHA to clean yourself and start fresh again.

Feel free to check out the Example App, to have a feel of the project.

Test

Tests for this project are written using PHPUnit.

Dont forget to test. The project relies heavily on tests, thus ensuring each user has the same experience, and no new features break the code. Before you create any pull request, make sure your project has passed all tests, and if any new features require it, write your own.

To run any of the tests in the available suite, first open the bootstrap.php.dist file, and change the values according to the in-file insturctions. Then, rename the bootstrap.php.dist to bootstrap.php. Finally, run the phpunit tests/PerimeterxCookieValidatorTest command to run all tests, or phpunit <testName> to execute a specific test (e.g. phpunit PerimeterxCookieTest)

To run coverage tests, run phpunit --coverage-html tests/coverage. This will create a directory tests/coverage with an html coverage for inspection.

Pull Request

After you have completed the process, create a pull request to the Upstream repository. Please provide a complete and thorough description, explaining the changes. Remember this code has to be read by our maintainers, so keep it simple, smart and accurate.

All versions of php-sdk with dependencies

PHP Build Version
Package Version
Requires mustache/mustache Version ^2.11.1
guzzlehttp/guzzle Version ~6.0
php Version >=5.5
psr/log Version ^1.0.2
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package perimeterx/php-sdk contains the following files

Loading the files please wait ....