Download the PHP package saarors/firewtwall-php without Composer
On this page you can find all versions of the php package saarors/firewtwall-php. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download saarors/firewtwall-php
More information about saarors/firewtwall-php
Files in saarors/firewtwall-php
Package firewtwall-php
Short Description Zero-dependency PHP Web Application Firewall β drop-in auto_prepend_file middleware
License MIT
Homepage https://github.com/saarors/fireWTwall
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package firewtwall-php
π₯ fireWTwall
Designed, built and maintained by saarors
A production-ready Web Application Firewall (WAF) with zero external runtime dependencies. Available as an npm package for Node.js, Bun, and Express β as a drop-in PHP auto-prepend file β and as an ASP.NET HttpModule for classic .NET Web Forms / MVC.
| Version | Runtime | Install |
|---|---|---|
| Node.js | Node.js >= 16 | npm install firewtwall |
| Bun | Bun >= 1.0.0 | bun add firewtwall |
| PHP | PHP >= 8.0 | composer require saarors/firewtwall-php |
| ASP.NET | .NET Framework 4.7.2+ | Copy aspnet/src/ into your project |
All versions share the same rule sets, detection philosophy, and NDJSON log format.
Table of contents
- Protections
- Node.js & Bun
- Quick start
- Bun runtime
- All options
- Debug mode
- Log viewer CLI
- Redis / multi-process
- Configuration reference
- TypeScript
- Test commands
- PHP
- Requirements & install
- Configuration
- Rate limiter storage
- Debug mode (PHP)
- ASP.NET (.aspx)
- Requirements
- Installation
- Configuration
- Debug mode (ASP.NET)
- Test commands (ASP.NET)
- Middleware pipeline
- Log format
- Security headers
- Project structure
- Important notes
- License & credits
What's new in v2.3.1 β Next-gen original detection layers
| Layer | How it works | |
|---|---|---|
| π | Entropy Scanner | Shannon entropy (H = -Ξ£ pΒ·logβp) on every param β catches shellcode, multi-encoded payloads and base64 bombs with zero signatures |
| π§ | Heuristic Engine | Structural zero-day detection β encoding mix density, bracket nesting depth, keyword-per-char ratio, function chain depth, operator storms, polyglot payloads |
| π | Multi-Vector Correlation | Catches attacks split across 3+ parameters that are individually harmless but dangerous together |
| π | Mutation Tracker | Levenshtein distance tracking per IP β detects payload fuzzing / WAF bypass attempts in real time |
| π·οΈ | Semantic Type Check | 80+ param names with known types β if id= contains <script> or page= contains SQL, it fires |
| β±οΈ | Request Rhythm | Timing analysis β detects machine-regular bots (stddev < 50ms), burst scanners, and low-and-slow cron scanners |
| π‘οΈ | DDoS Protection | Burst limiter, global flood guard, fingerprint flood, path flood, URL/header size guards, optional tarpitting |
Protections
| Layer | What it catches | Rules |
|---|---|---|
| SQL Injection | UNION SELECT, stacked queries, blind (SLEEP/WAITFOR), EXTRACTVALUE, UPDATEXML, GTID_SUBSET, EXP(~()), sys schema, CASE WHEN, @@version |
38 |
| XSS | Script tags, on*= handlers, DOM sinks, AngularJS {{}}, data URIs, SVG animate, CSS @import, -moz-binding, meta refresh |
29 |
| Path Traversal | ../ sequences, null bytes, PHP wrappers, Windows paths (C:\, system32), /boot/grub, .env, .git/, .ssh/ |
18 |
| Command Injection | Shell pipes, PowerShell, wget/curl RCE, Python/Ruby/Perl/PHP/Node CLI, netcat, whoami, env dump | 18 |
| SSTI | Jinja2, Twig, FreeMarker, Velocity, Smarty, ERB, OGNL/Struts2, Spring4Shell, Tornado | 18 |
| RFI | HTTP/FTP/SMB/expect:// inclusion, log poisoning, /proc/self/environ β file-param names only |
6 |
| Log4Shell | CVE-2021-44228 β JNDI LDAP/RMI/DNS + all obfuscation variants | 6 |
| Shellshock | CVE-2014-6271 β () { :; }; scanned in every header |
2 |
| NoSQL Injection | MongoDB $ne, $gt, $where, $regex, $expr β params + bracket notation |
11 |
| LDAP Injection | Filter bypass, parenthesis injection, null-byte, uid/admin wildcard, hex chars | 6 |
| Deserialization | PHP O:N:, Java AC ED 00 05 (base64 + hex), Python pickle, node-serialize RCE |
7 |
| SSRF | Private IPs, cloud metadata (169.254.169.254, Azure, GCP), dangerous URI schemes | 3 |
| XXE | DOCTYPE, ENTITY SYSTEM/PUBLIC, parameter entities, XInclude β XML bodies only | 5 |
| Open Redirect | Absolute URLs or // in redirect/return/next/dest params |
1 |
| Prototype Pollution | __proto__, constructor.prototype in query/body/JSON keys |
1 |
| CRLF / Header Injection | HTTP response splitting, host-header injection | β |
| Rate Limiting | Sliding-window per IP β configurable window, limit, block duration. Redis-ready | β |
| IP Filter | Blacklist + whitelist with CIDR β IPv4 and IPv6 | β |
| Bad Bot Blocking | 115+ blocked signatures: sqlmap, nmap, curl, wget, ffuf, nuclei, Metasploit (msf/), python-*, HTTP clients, libcurl, Postman, Insomniaβ¦ | β |
| Automation Detection | Detects suspicious User-Agent patterns (curl, python, perl, ruby, java, libcurl, scrapy, mechanize) | β |
| HTTP Method Filter | Rejects TRACE, CONNECT, and any non-configured verb | β |
| Request Size Limit | Content-Length header check + streaming byte guard |
β |
| Security Headers | HSTS, CSP, COOP, CORP, COEP, Referrer-Policy, Permissions-Policy, NEL β X-Powered-By stripped |
β |
Dual mode: mode: 'reject' blocks Β· mode: 'log-only' audits without blocking (recommended for first deploy)
Node.js & Bun
Quick start
npm:
Bun:
Example (works with both):
Bun runtime
fireWTwall fully supports Bun β a fast JavaScript runtime that's fully compatible with Node.js APIs.
Run with Bun:
Performance benefits:
- Faster startup than Node.js
- Lower memory footprint
- Identical security protection
- No code changes needed
See docs/nodejs/bun.md for complete Bun documentation.
All options
Debug mode
When debug: true every request β pass and block β is fully traced:
| What changes | Detail |
|---|---|
| All requests logged | Every request lands in the NDJSON log with processing time and checks run |
| X-WAF-* response headers | Four headers expose the outcome to the caller |
| Verbose log fields | Raw matched value, decoded value, and exact rule name are included |
Response headers in debug mode:
| Header | Example value | Present |
|---|---|---|
X-WAF-RequestId |
f47ac10b58cc1122 |
Always |
X-WAF-Result |
passed or blocked |
Always |
X-WAF-Rule |
sql-union-select |
Blocked only |
X-WAF-Time |
0.83ms |
Always |
Passed request β log entry:
Blocked request β log entry:
Catch nmap in debug mode:
β οΈ Never use
debug: truein production β it leaks internal rule names to the caller.
Log viewer CLI
Redis / multi-process
Replace the built-in in-memory store with any key-value backend:
Configuration reference
| Key | Default | Description |
|---|---|---|
mode |
'reject' |
'reject' blocks Β· 'log-only' audits |
allowedMethods |
['GET','POST','PUT','PATCH','DELETE','OPTIONS','HEAD'] |
Permitted HTTP verbs |
maxBodySize |
10485760 |
Max Content-Length in bytes (10 MB) |
rateLimit.windowMs |
60000 |
Sliding-window duration in ms |
rateLimit.maxRequests |
100 |
Requests allowed per window per IP |
rateLimit.blockDurationMs |
600000 |
Block duration after violation |
whitelist |
[] |
IPs / CIDRs that bypass all checks |
blacklist |
[] |
IPs / CIDRs that are always blocked |
bypassPaths |
['/health','/ping'] |
Paths that skip all WAF checks |
trustedProxies |
[] |
Enable X-Forwarded-For parsing |
logPath |
'./logs/waf.log' |
NDJSON log file path |
responseType |
'json' |
Block response: 'json' or 'html' |
debug |
false |
Full request tracing + X-WAF-* headers |
TypeScript
Types ship with the package β no @types/ install needed:
Test commands
PHP
Requirements
- PHP β₯ 8.0
- APCu extension (optional but recommended β file-based fallback included)
Installation
Option A β Composer (recommended):
Then load it at the top of your entry point:
Or via php.ini / .htaccess (auto-runs before every script):
Option B β php.ini (server-wide, no Composer):
Option C β .htaccess (per-directory, Apache):
Option D β manual include (any framework):
Configuration (php/config/waf.config.php)
Rate limiter storage
| Backend | When used | Notes |
|---|---|---|
| APCu | APCu extension loaded | Fast, atomic, shared across PHP-FPM workers |
| File-based | Fallback | Uses sys_get_temp_dir() β safe for shared hosting |
Enable APCu in php.ini:
Debug mode (PHP)
Set 'debug' => true in waf.config.php. The same X-WAF-* response headers and verbose NDJSON log entries as the Node.js version will be produced.
β οΈ Disable in production. Debug mode exposes rule names to the client.
ASP.NET (.aspx)
fireWTwall runs as a standard IHttpModule β the same mechanism used by ASP.NET's built-in security features. It fires on every request before your code runs, regardless of whether the target is an .aspx page, MVC controller, Web API endpoint, or .ashx handler.
ASP.NET Requirements
- .NET Framework 4.7.2 or later
- IIS 7.5+ or IIS Express
System.Web,System.Runtime.Caching, andSystem.Web.Extensionsassemblies (all included in .NET 4.7.2+)
ASP.NET Installation
Step 1 β Add the source files to your project.
Copy the aspnet/src/ directory into your web project or a referenced class library:
Step 2 β Register the HttpModule in Web.config:
That's it. The WAF now intercepts every request automatically.
ASP.NET Configuration
Override defaults in Global.asax.cs Application_Start:
Key settings:
| Property | Default | Description |
|---|---|---|
Mode |
"reject" |
"reject" blocks Β· "log-only" audits |
MaxBodySize |
10485760 |
Max Content-Length in bytes |
RateLimit.WindowSec |
60 |
Sliding window in seconds |
RateLimit.MaxRequests |
100 |
Requests per IP per window |
RateLimit.BlockDurationSec |
600 |
Block duration after violation |
Whitelist |
[] |
IPs / CIDRs that bypass all checks |
Blacklist |
[] |
IPs / CIDRs that are always blocked |
BypassPaths |
["/health","/ping"] |
URL prefixes that skip all checks |
TrustedProxies |
[] |
Enable X-Forwarded-For parsing |
LogPath |
App_Data/waf.log |
NDJSON log file path |
ResponseType |
"json" |
Block response: "json" or "html" |
Debug |
false |
Adds X-WAF-* headers (see Debug mode below) |
See docs/aspnet/configuration.md for the full reference including DDoS and bot config.
Debug mode (ASP.NET)
Adds four response headers to every request and logs all passing requests:
| Header | Example | Present |
|---|---|---|
X-WAF-RequestId |
f47ac10b58cc1122 |
Always |
X-WAF-Result |
passed or blocked |
Always |
X-WAF-Rule |
sql-union-select |
Blocked only |
X-WAF-Time |
0.83ms |
Always |
Tail the log in PowerShell:
β οΈ Never use
Debug = truein production β it exposes rule names in response headers.
See docs/aspnet/debug-mode.md for full details.
Test commands (ASP.NET)
Middleware pipeline
Requests pass through 23 stages (Node.js) / 22 stages (PHP) in this order:
Pattern-based stages (12β22) scan: query params Β· request body Β· URL path Β· cookies Β· all headers
Log4Shell (stage 18) and Shellshock (stage 19) scan every HTTP header β not just params.
Log format
Every blocked request appends one NDJSON line to the log file:
Severity levels: critical Β· high Β· medium
Sources: query Β· body Β· path Β· cookie:<name> Β· user-agent Β· header:<name>
Security headers (added to every response)
| Header | Value |
|---|---|
Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload |
Content-Security-Policy |
default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none' |
X-Content-Type-Options |
nosniff |
X-Frame-Options |
SAMEORIGIN |
X-XSS-Protection |
1; mode=block |
Referrer-Policy |
strict-origin-when-cross-origin |
Permissions-Policy |
geolocation=(), microphone=(), camera=(), payment=(), usb=(), interest-cohort=() |
Cross-Origin-Opener-Policy |
same-origin |
Cross-Origin-Resource-Policy |
same-origin |
Cross-Origin-Embedder-Policy |
require-corp |
X-Permitted-Cross-Domain-Policies |
none |
NEL |
{"report_to":"default","max_age":31536000,"include_subdomains":true} |
X-Powered-By |
(removed) |
Project structure
The docs/aspnet/ directory contains the full ASP.NET reference:
| File | Description |
|---|---|
| docs/aspnet/installation.md | Source copy, class library setup, Web.config registration, log protection |
| docs/aspnet/configuration.md | All WafConfig properties, DDoS settings, bot detection config |
| docs/aspnet/debug-mode.md | X-WAF-* headers, log verbosity, PowerShell log viewer |
Important notes
- Start with
log-onlymode in production. Review logs for false positives before switching toreject. - The
logs/directory must be writable by the web server but not web-accessible. The includedphp/logs/.htaccesshandles this for Apache. - This WAF is a defence-in-depth layer β it does not replace parameterised queries, input validation, or proper output encoding in your application code.
- For multi-process / multi-server Node.js deployments, swap the in-memory rate-limit store with Redis (see the Redis example above).
- The CSP header shipped by default is strict. If your app loads scripts or styles from external origins, tune
Content-Security-Policyin the security-headers middleware before deploying.
License
MIT Β© saarors
Credits
Author & lead developer
| saarors | Created fireWTwall from scratch β designed the full architecture, wrote every detection rule for both the Node.js and PHP editions, built and published the npm package, and owns every release. |
All design decisions, architecture choices, and release ownership belong to saarors.
