This project is a high-security PHP request router designed to prevent:
- Direct file access
- URL tampering
- Token replay attacks
- Bot scraping
- Mass link sharing abuse
- Path traversal attacks
- Configuration leaks
- Automated brute traffic
Instead of allowing users to open files directly, every request must pass cryptographic signature verification + behavioural security checks before content is served.
This router follows a Zero Trust Request Model โ every request is treated as potentially hostile until verified.
Traditional routing:
user โ /dashboard.php โ file served
Secure signed routing:
user โ signed URL โ router โ security validation โ file served
Attack surface becomes extremely small.
Request
โ
Forbidden Path Filter
โ
Signature Validation
โ
Token Replay Protection
โ
Token Leak Detection
โ
Rate Limiting
โ
Bot Behaviour Scoring
โ
Stealth Ban Check
โ
Secure File Serve
Each layer independently blocks attacks.
project-root/
v.php โ Main router entry point
error.html โ Generic error page
.set/
router_config.php โ Main configuration
.runtime/
m.json โ Route mapping database
u.json โ Token replay database
b.json โ Bot score database
r.json โ Rate limit database
k.json โ Token leak tracker
x.json โ Stealth banned IP list
a.log โ Access logs
s.log โ Security logs
This file controls behaviour of entire system.
define('ROUTER_NAME','v.php');
define('SIGN_SECRET','CHANGE_THIS_TO_LONG_RANDOM_SECRET');
define('SIGNED_TTL',300);
define('LOG_DEDUPE_WINDOW',5);Used for:
- URL signature generation
- Tamper detection
If changed:
- All existing signed URLs instantly become invalid
Use:
- 64+ random characters
- Never commit real secret to public repo
Controls signed URL lifetime.
| Value | Behaviour |
|---|---|
| 60 sec | Ultra secure |
| 300 sec | Balanced (recommended) |
| 600+ sec | High performance / CDN |
Prevents repeated identical log spam.
RATE_LIMIT_MAX = 40
RATE_LIMIT_WINDOW = 60 seconds
Meaning: Maximum 40 suspicious events per minute per IP.
TOKEN_REPLAY_WINDOW = 7200 seconds
Token valid for 2 hours maximum.
BOT_SCORE_BASE = 60
Adaptive threshold adjusts dynamically based on traffic behaviour.
STEALTH_BAN_TIME = 900 seconds
IP silently blocked for 15 minutes.
Returns fake 404 to avoid attacker detection.
Router uses JSON files instead of SQL for speed and portability.
Tracks:
- Token signature
- IP used
- Session used
- Refresh count
- Expiry time
Prevents:
- Link sharing abuse
- Mass replay attacks
Stores per-IP behaviour score.
Score increases when:
- Invalid signature
- Replay attempt
- Token leak detected
Stores timestamp list of suspicious actions per IP.
Tracks how many unique IPs use same token.
If > 5 โ suspicious.
Stores banned IP + expiry time.
Old entries automatically deleted:
| File | Lifetime |
|---|---|
| u.json | 24 hours |
| k.json | 7 days |
| b.json | 14 days |
| r.json | 1 hour |
Prevents storage growth.
Each session receives unique visitor ID:
VIS-XXXXXX
Used for:
- Behaviour tracking
- Log correlation
- Session pattern analysis
Router collects:
- Country
- City
- ISP
- VPN detection
- Hosting detection
- Mobile network detection
Cached for 24 hours per session for performance.
Signed URL contains:
id โ route ID
exp โ expiry timestamp
router โ router filename
sig โ HMAC signature
1. Sort parameters
2. Build query string
3. Generate HMAC SHA256 using SIGN_SECRET
If any parameter is modified โ signature mismatch.
Each token:
โ Bound to IP
โ Bound to session
โ Allows limited refresh
โ Expires automatically
If used from different IP โ blocked.
If same signed token used by multiple IPs:
Score increases โ eventually blocked.
Prevents:
- Telegram link sharing
- Public forum link posting
- Scraper distribution
Each suspicious behaviour adds points.
Example:
| Action | Score |
|---|---|
| Invalid signature | +10 |
| Replay attempt | +15 |
| Token leak | +20 |
Adaptive threshold increases if bot traffic increases.
Instead of blocking normally:
Returns:
404 Not Found
Attacker thinks resource missing, not blocked.
Stored in:
.runtime/m.json
Example:
{
"0": "index.html",
"a92bd1": "dashboard.php"
}If user accesses:
/dashboard.php
Router automatically:
- Generates route ID
- Stores mapping
- Redirects to signed URL
Tracks:
- Visitor ID
- Route ID
- Access Type
- Original URL
- Final Signed URL
- Device
- Network type
Tracks:
- Attack type
- Exact URL
- IP
- Device
- ISP
- Country
- Reason for block
Router classifies traffic:
| Type | Meaning |
|---|---|
| USER_ACTION | Normal navigation |
| AUTO_BROWSER | Reload or resource load |
| BACKGROUND_FETCH | AJAX or silent request |
| REDIRECT_CHAIN | Multi redirect flow |
| SESSION_EXPIRE | Session timeout redirect |
Useful for analytics + bot detection.
Protected using token usage tracking.
Blocked using HMAC signature verification.
Rate limiting + bot scoring.
Blocked using realpath directory enforcement.
Blocked using forbidden path filters.
Adaptive scoring system blocks suspicious behaviour.
- Session caching for IP intelligence
- JSON lazy cleaning
- Log deduplication
- Smart 2-second router dedupe
- No database overhead
SIGNED_TTL = 120
RATE_LIMIT_MAX = 20
BOT_SCORE_BASE = 40
SIGNED_TTL = 300
RATE_LIMIT_MAX = 40
BOT_SCORE_BASE = 60
SIGNED_TTL = 600
RATE_LIMIT_MAX = 80
BOT_SCORE_BASE = 80
Clone repository.
Create runtime folder:
mkdir .runtime
chmod 777 .runtime
Create config file:
.set/router_config.php
Set strong SIGN_SECRET.
Point web root to router location.
Enable:
- Bot Fight Mode
- Rate Limiting Rules
- WAF protection
Disable direct PHP execution except router.
Use:
Options -Indexes
- Redis memory token store
- JWT token replacement
- Machine learning bot detection
- Device fingerprint scoring
- Behaviour anomaly detection
- Real time threat dashboard
MIT License
This router is built on:
- Security first design
- Minimal trust surface
- Behaviour driven blocking
- Low infrastructure dependency
- High portability
Pull requests are welcome. For major changes, open an issue first to discuss what you would like to change.
Built with focus on real-world attack patterns and practical defence strategies.