Added

• Silent handling for Livewire bot-driven TypeError exceptions (for example: Cannot assign array to property ...) when they originate from Livewire update flows
• Payload update normalization for multiple Livewire request formats, improving detection of array-injection attempts

Changed

• Exception silencing now integrates with dontReport, reportable, and renderable hooks for stronger compatibility with Laravel exception pipelines
• Improved local warning message text for blocked Livewire manipulation attempts
• Updated documentation to clarify Sentry/noise behavior, payload-injection handling, and custom app/Exceptions/Handler.php integration guidance

Changed

• Simplified blocked_user_agents config by using single 'python' pattern instead of multiple variants
• Added documentation explaining that patterns use str_contains() for wildcard matching
• Removed redundant patterns: python-requests, python/requests, python requests, python requests 2., python-urllib (all now covered by 'python')

Livewire Injection Stopper

Protect your Laravel + Livewire application from spam bots and security vulnerabilities.

What does this package do?

This package protects your Laravel application in two ways:

1. 🛡️ Blocks Spam Bots

Automatically blocks automated spam bots (like Python scripts, curl, wget) from accessing your website. No more spam form submissions!

2. 🔍 Finds Security Holes in Livewire

Scans your Livewire components and tells you which properties attackers could manipulate. For example, if you have public $isAdmin = false, an attacker could change it to true in their browser!

Installation

composer require darvis/livewire-injection-stopper

That's it! The spam bot blocking is now active.

Check Your Security

Run this command to scan your Livewire components:

php artisan livewire-injection-stopper:audit

It will show you which properties need protection.

Example: Fixing a Security Issue

Before (Vulnerable):

class CheckoutComponent extends Component
{
    public $price = 100.00;  // ⚠️ Attacker can change this to $0.01!
}

After (Secure):

use Livewire\Attributes\Locked;

class CheckoutComponent extends Component
{
    #[Locked]  // ✅ Now protected!
    public $price = 100.00;
}

What Gets Blocked?

By default, these bots are blocked:

• Python scripts (python-requests)
• Command-line tools (curl, wget)
• Web scrapers (scrapy)
• Generic bots and crawlers

Real browsers and users are never blocked.

Configuration (Optional)

Want to customize? Publish the config file:

php artisan vendor:publish --tag=livewire-injection-stopper-config

Now you can:

• Add or remove blocked bots
• Block specific IP addresses
• Whitelist certain routes (like webhooks)

Documentation

For detailed documentation, see the /docs folder:

• Installation Guide - Detailed setup instructions
• Security Audit - How to use the audit command
• Middleware Configuration - Customize bot blocking
• Livewire Security - Understanding the threats
• Testing - Running tests

Quick Links

• 📖 Full Documentation
• 🐛 Report Issues
• 💬 Get Support

Requirements

• PHP 8.1+
• Laravel 11.0 or 12.0
• Livewire 3.0

License

MIT License - feel free to use in any project!

Credits

Created by Arvid de Jong

Need help? Check the documentation or email info@arvid.nl