There are a few ways you can block invalid HTTP requests:
Use a Web Application Firewall (WAF), e.g. ModSecurity: A WAF is a security solution that sits between your website and the Internet. It analyzes incoming traffic and blocks requests that contain malicious payloads or violate your security policies.
Implement rate limiting (middleware): Rate limiting is a technique that limits the number of requests that a user or IP address can make to your website within a specified time period. This can help to prevent hackers from using automated tools to send a large number of invalid requests in a short period of time.
With the Web Application Firewall, do I need to over right my current user login procedures. I have written timeouts, logout after 3 attempts.
The WAF “allows” only requests that are valid. Your web server and slim application respond only to “valid” / “allowed” HTTP requests. This means this should not affect your login procedure directly.
Is this good Shieldon (WAF) for PHP
ModSecurity is EOL in July 2024, so this makes no sense to use it anymore.
Shieldon is a PHP and PSR-15 based middleware that would fit perfect into a Slim 4 application.
The only drawback is that the HTTP request will reach you webserver anyway.
In the E-book Symfony Rate Limiter
Yes, my eBook Vol. 2 contains an article about the Symfony Rate Limiter that can be used as well.
Note that a Rate Limiter just blocks too many requests in a specific time range. But it does not protects you from single malicious request.
In practice you might need a combination of multiple solutions to protect your application against different kind of attacks.
If I understand it correctly, if you use a WAF product that utilizes Slim Middleware, the request is already accessing SLIM and the best is to filter request before it reach slim.
With ModSecurity does the full package get installed under Public_html similar to WordPress are do you also need to tweak Apache
Im just brain storming, I probably need to look or write a standalone php program with separate db to filter the request, do you know of other WAF that could fit my situation. I dont think I’m the first person that encountered it.