Getting Started

Minimal Setup

Installation

composer require salehye/laravel-security
php artisan vendor:publish --provider="Salehye\Security\SecurityServiceProvider"
php artisan migrate

Publishes config (config/security.php) and migrations (e.g., failed_attempts, sessions).

Enable Core Features Add to AppServiceProvider@boot():

\Salehye\Security\Facades\Security::enable([
    'input_sanitization',
    'xss_protection',
    'brute_force',
]);

First Use Case: Secure a Controller

use Salehye\Security\Facades\Security;

public function update(Request $request, $id) {
    Security::validateInput($request); // Auto-sanitizes + validates
    Security::requireReauthentication(); // For sensitive actions
    // Proceed with logic...
}

Key Configurations

Brute Force: Set thresholds in config/security.php under brute_force.max_attempts.
2FA: Enable via php artisan security:2fa:enable and use middleware @2fa.

Implementation Patterns

1. Input Handling Workflow

// Manual validation (replaces Laravel's validate())
$validated = Security::validateInput($request, [
    'email' => 'required|email|no_sql_injection',
    'bio' => 'nullable|xss_safe',
]);

// Auto-apply to all requests via middleware
// Add to `app/Http/Kernel.php`:
protected $middleware = [
    \Salehye\Security\Http\Middleware\SanitizeInput::class,
];

2. Session Security

Detect Suspicious Logins:

if (Security::isSuspiciousLogin()) {
    event(new SuspiciousLoginDetected());
}

Concurrent Session Control:

Security::setMaxSessions(3); // Configurable per user

3. Sensitive Operations

// Require re-authentication for DELETE/PUT
public function destroy($id) {
    Security::requireReauthentication();
    // Proceed...
}

4. 2FA Integration

// Generate QR code for setup
$qrCode = Security::generate2FAQR('user@example.com');

// Verify code
if (Security::verify2FA($code)) {
    auth()->user()->mark2FAVerified();
}

5. Custom Rules

Extend validation rules:

use Salehye\Security\Rules\CustomRule;

class CustomRule extends CustomRule {
    public function passes($attribute, $value) {
        return str_contains($value, 'allowed');
    }
}

// Usage:
Security::validateInput($request, ['field' => 'custom_rule']);

Gotchas and Tips

Pitfalls

Performance Overhead
- Issue: Heavy input sanitization may slow down bulk operations.
- Fix: Disable for non-critical routes:
```
Security::disable('input_sanitization');
```
False Positives in XSS Protection
- Issue: Legitimate HTML (e.g., <script> tags in CMS content) may be stripped.
- Fix: Whitelist trusted users:
```
Security::allowXSSForUser(auth()->id());
```
2FA Migration Pitfalls
- Issue: Existing users may lose access if 2FA is enforced without migration.
- Fix: Use staged rollout:
```
if (app()->environment('production')) {
    Security::enforce2FAForUsers(['admin']);
}
```
Session Fixation
- Issue: session_regenerate_id() may not work if middleware order is wrong.
- Fix: Place SanitizeInput before StartSession in Kernel.php.

Debugging Tips

Log Failed Attempts:

Security::setFailedAttemptLogger(function ($data) {
    Log::warning('Brute force attempt', $data);
});

Bypass for Testing:

Security::disableAll(); // Temporarily disable all checks

Extension Points

Custom Validation Rules Extend Salehye\Security\Rules\BaseRule and register via:
```
Security::extendRule('custom_rule', CustomRule::class);
```
Override Default Policies Publish and modify config/security.php policies (e.g., max_failed_attempts).

Event Listeners Listen for security events:

event(new \Salehye\Security\Events\BruteForceDetected($user));

Config Quirks

Geographic Anomaly Detection Requires geoip2/geoip2 and a MaxMind DB. Configure path in config/security.php:
```
'geoip_database' => database_path('GeoLite2-City.mmdb'),
```
Rate Limiting Uses Laravel’s rate limiter under the hood. Customize via:
```
'brute_force' => [
    'limiter' => '5-minutes',
],
```

Laravel Security Laravel Package