PHP Web Application Firewall — v1.0

Drop-in security
for your PHP apps.

BarcoShield is a lightweight, self-hosted WAF that blocks SQLi, XSS, brute-force attacks, flood traffic, and malicious uploads — with one line of code.

See it Live Quick Start
Scroll
0
Threats Blocked / Day
0
Attack Types Detected
0
Lines of Code to Install
0
ms Added to Response
Protection

Everything a PHP app needs to stay safe.

Six layers of defense, zero dependencies. Just drop it in and it runs.

SQLi & XSS Detection

Scans all incoming request parameters — GET, POST, cookies, and headers — for SQL injection patterns and cross-site scripting payloads. Blocks or logs on match.

GET/POSTCookiesHeaders
🔐
Brute Force Protection

Tracks failed login attempts per IP with a rolling time window. After exceeding the threshold, the IP is auto-banned for a configurable duration.

5 attempts15 min banCustom paths
🌊
Flood / Rate Limiting

Limits requests per IP in a rolling window. Spikes that exceed the threshold trigger a temporary ban, protecting your server from volumetric attacks.

120 req/min5 min banFile or DB
🌍
Geo-Blocking

Block entire countries by ISO-2 code. Uses ip-api.com with local caching to keep lookups fast. Simply add country codes to the config array.

ISO-2 codesGeo cacheip-api.com
📁
Malicious Upload Scanning

Validates uploaded files by MIME type, extension, size, and byte-level content scanning for embedded PHP code. Stops webshells before they land.

MIME checkPHP scanSize limit
🗂️
IP / CIDR / Country Bans

Maintain manual ban lists for individual IPs, CIDR ranges, and country codes. Bans can be permanent or time-limited and managed via the admin dashboard.

Single IPCIDR rangeTimed bans
Interactive Demo

Watch the shield in action.

A live simulation of the BarcoShield admin dashboard — threats are generated in real time.

BarcoShield Admin — localhost/barcoshield/admin/
ACTIVE
Monitor
📊 Dashboard
📋 Threat Log
Control
🚫 Banned IPs
🌍 Geo Rules
System
⚙️ Config

Dashboard

Shield Active
Blocked Today
🛡️
0
+0 this hour
Active Bans
🚫
0
Active right now
Requests / hr
📡
0
Normal traffic
Top Threat
Live Threat Feed
0 events
TIME IP THREAT TYPE ACTION
Threat Breakdown
0 Total
SQLi
0
XSS
0
Brute Force
0
Flood
0
Upload
0
Quick Start

One line. Full protection.

Compatible with any LAMP stack. No Composer. No dependencies.

// 1. Copy shield.php to your project
// 2. Add this as the FIRST line in your app:

<?php
require_once '/path/to/shield.php';

// That's it. BarcoShield is now active.
// ────────────────────────────────────
// Optional: report failed logins
if (!password_verify($pass, $hash)) {
    BarcoShield::loginFailed();
    $error = 'Invalid credentials.';
}
1

Copy shield.php

Drop shield.php into your project root. No package manager needed — it's a single file.

2

Configure your database

Set your DB credentials in the $SHIELD_CONFIG block at the top of shield.php. Tables are auto-created on first run.

3

Require at entry points

Add one require_once as the very first line in each PHP file you want protected.

4

Open the admin dashboard

Navigate to /admin/ to monitor threats, manage bans, and fine-tune your rules in real time.

Get Started

Ready to protect your apps?

BarcoShield is ready to deploy. Open the admin panel to start monitoring, or read the docs to configure it for your stack.

Open Admin Panel Read the Docs