All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- WAF Pattern Detection — 15 attack types with 100+ regex patterns
- SQL Injection, XSS, Path Traversal, Command Injection
- SSRF, XXE, NoSQL Injection, LDAP Injection, SSTI
- Open Redirect, File Inclusion, PHP Serialization
- Directory Bruteforce, Header Injection, Suspicious User Agent
- IP Blocking — temporary blocks with automatic expiration
- Progressive Escalation — block duration doubles per re-offense (max 7 days)
- Behavior Tracking — request rate, 404 errors, login attempts, threat score
- Multi-Layer Decoding — URL decode (single/double) + HTML entity decode
- IP Whitelist — exact match + CIDR notation support
- Login Route Detection — brute-force protection for configured login routes
- Caching Layer — cached blocked IP lookups via Laravel Cache (PR #22)
- Event System — 4 Laravel events: ThreatDetected, IpBlocked, IpUnblocked, BehaviorThresholdExceeded (PR #25)
- Notification Support — email/Slack alerts with severity filtering and rate limiting (PR #26)
- IP Threat Score Decay — gradual score reduction for inactive IPs (PR #24)
- Scheduled Cleanup — auto-registration of cleanup commands (PR #23)
- Custom Pattern Plugin —
registerScenario()for runtime pattern registration (PR #27) - Honeypot Route Trap —
crowdsec.honeypotmiddleware for scanner detection (PR #28) - Per-Route Rate Limiting —
crowdsec.rate:60,1middleware (PR #29) - SIEM Export —
crowdsec:exportcommand with JSON, CSV, Syslog (RFC 5424) formats (PR #30) - GeoIP Lookup — ip-api.com provider with 24h caching (PR #31)
- REST API — 6 endpoints for programmatic management (PR #32)
- Admin Dashboard — standalone Blade dashboard with dark theme (PR #33)
- CLI Commands —
crowdsec:stats,crowdsec:cleanup,crowdsec:export - Facade API —
CrowdSec::blockIp(),isBlocked(),unblockIp(),analyzeRequest() - Auto-Migration — 3 database tables created automatically
- GitHub Actions CI — PHP 8.1/8.2/8.3 × Laravel 10.x/11.x matrix (PR #18)
- ReDoS Protection —
safeMatch()wrapper with pcre.backtrack_limit=10,000 and 8KB input truncation (PR #43) - Tightened Patterns — replaced risky
.*quantifiers with bounded[^x]{0,200}alternatives - Fail-Open Design — WAF errors never crash the application
- 136 tests with 202 assertions
- 27 unit tests, 22 integration tests, 20 edge case tests
- 8 performance benchmarks (all <1ms)
- 45 new feature tests (PR #42)
- 14 ReDoS resistance tests (PR #43)
- Initial release with core WAF detection (12 attack types)
- IP blocking with expiration
- Behavior tracking
- CLI commands (stats, cleanup)
- Facade API
- 27 unit tests