zappzarapp/security

Comprehensive PHP security library: CSP, Security Headers, CSRF, Cookies, Password Validation, Input Sanitization, Rate Limiting, SRI, and Audit Logging

Maintainers

Package info

github.com/marcstraube/zappzarapp-php-security

pkg:composer/zappzarapp/security

Statistics

Installs: 1

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 6

Security

Advisories: 0

Aikido package health analysis

v1.0.0 2026-02-12 03:01 UTC

Requires

Requires (Dev)

Suggests

MIT 100b48351e69a2f76fef8d58753841fdeab916b1

  • Marc Straube <email.woop@marcstraube.de>

securitypasswordheaderscsrfxsssanitizationcspsricontent-security-policyhstsrate-limitingsubresource-integrityphp8audit-logging

This package is auto-updated.

Last update: 2026-03-09 02:57:43 UTC

README

Latest Version PHP Version License CI

Comprehensive PHP security library providing CSP, Security Headers, CSRF protection, Secure Cookies, Password Validation, Input Sanitization, Rate Limiting, SRI, and Audit Logging.

Highlights

  • All-in-one — 9 security modules in a single, composable package
  • Secure by default — strict CSP, no unsafe-*, HTTPS-first
  • Framework-agnostic — works with any PHP 8.4+ application
  • Immutable & type-safe — readonly classes, enums, with*() API
  • Quality-backed — PHPStan Level 8, Psalm Level 1, 100% Mutation Score, Deptrac architecture enforcement
  • PSR-compatible — PSR-3 (Logging), PSR-18 (HTTP Client)

Modules

Module Description Key Classes
CSP Content Security Policy header building CspDirectives, HeaderBuilder, NonceGenerator
Headers Security headers (HSTS, Permissions-Policy, etc.) SecurityHeaders, SecurityHeadersBuilder
CSRF Cross-Site Request Forgery protection CsrfProtection, CsrfConfig
Cookie Secure cookie handling SecureCookie, CookieBuilder, CookieOptions
Password Password validation and hashing PasswordPolicy, PwnedPasswordChecker, PepperedPasswordHasher
Sanitization Input sanitization (HTML, SQL, URI, Path) HtmlSanitizer, UriSanitizer, PathValidator
RateLimiting Rate limiting with multiple algorithms DefaultRateLimiter, RateLimitConfig
SRI Subresource Integrity hash generation SriHashGenerator, IntegrityAttribute
Logging Security event audit logging SecurityAuditLogger, SecurityEvent

Requirements

  • PHP ^8.4
  • ext-dom
  • ext-libxml
  • ext-sodium

Installation

composer require zappzarapp/security

Quick Start

Security Headers

use Zappzarapp\Security\Headers\Builder\SecurityHeadersBuilder;

$headers = SecurityHeadersBuilder::recommended()->build();
foreach ($headers as $name => $value) {
    header("{$name}: {$value}");
}

CSP with Nonces

use Zappzarapp\Security\Csp\HeaderBuilder;
use Zappzarapp\Security\Csp\Directive\CspDirectives;
use Zappzarapp\Security\Csp\Nonce\NonceGenerator;

$generator = new NonceGenerator();
$csp = HeaderBuilder::build(CspDirectives::strict(), $generator);
header("Content-Security-Policy: {$csp}");

$nonce = $generator->get();
echo "<script nonce=\"{$nonce}\">console.log('Safe!');</script>";

CSRF Protection

use Zappzarapp\Security\Csrf\CsrfProtection;
use Zappzarapp\Security\Csrf\Storage\SessionCsrfStorage;

$csrf = new CsrfProtection(new SessionCsrfStorage());

// Generate token for form
$token = $csrf->generateToken();
echo '<input type="hidden" name="_token" value="' . $token->value() . '">';

// Validate on submission
if (!$csrf->validateToken($_POST['_token'])) {
    throw new Exception('CSRF validation failed');
}

Input Sanitization

use Zappzarapp\Security\Sanitization\Html\HtmlSanitizer;
use Zappzarapp\Security\Sanitization\Path\PathValidator;

// Sanitize HTML (removes dangerous tags/attributes)
$sanitizer = new HtmlSanitizer();
$safe = $sanitizer->sanitize($userInput);

// Validate file paths (prevent directory traversal)
$validator = new PathValidator('/var/www/uploads');
if (!$validator->isValid($userPath)) {
    throw new Exception('Invalid path');
}

See the documentation for detailed examples of all modules.

Documentation

Each module has detailed API documentation with class references, configuration options, and code examples:

Module Description
CSP Content Security Policy with nonces
Headers HSTS, COOP, COEP, CORP, Permissions
CSRF Token patterns and validation
Cookie Secure cookie handling
Password Hashing, policies, breach detection
Sanitization HTML, URI, path sanitization
Rate Limiting Token bucket, sliding window
SRI Subresource integrity hashes
Logging Security audit logging
Glossary Security terminology reference

Versioning

This library follows Semantic Versioning 2.0.0.

All classes, interfaces, and methods in the Zappzarapp\Security namespace are considered public API unless marked with @internal. Breaking changes only happen in major versions, with deprecation warnings at least one minor version before removal.

Releases are automated via release-please and GPG-signed. See CHANGELOG.md for release history.

Security

See SECURITY.md for vulnerability reporting and security considerations.

Contributing

See CONTRIBUTING.md for development setup and contribution guidelines.

License

MIT License - see LICENSE file for details.