A web application firewall built into the Laravel ecosystem
A comprehensive WAF for a Laravel-based ecosystem with Redis-backed rate limiting, IP-based protection, multi-CAPTCHA integration, and a Vue.js admin surface for live security controls.
The brief
The Direct ecosystem (Wallet, Hotels, Surveys, internal CRM) was hitting the same edge-case attacks across each app — credential stuffing, scraping, brute-force on auth. Off-the-shelf WAFs were either a heavyweight Cloudflare upgrade or a generic plugin that didn’t understand the auth surfaces. We built one in-house that the application could observe and tune in real time.
What we built
- Multi-layer rate limiting in Redis with per-route, per-IP, per-user, and per-tenant buckets — burst and sustained windows tuned per surface.
- Multi-CAPTCHA orchestration with reCAPTCHA v3, Cloudflare Turnstile, and an internal proof-of-work fallback for clients who can’t ship Google scripts.
- IP intelligence layer with allow / deny / suspect lists, geo-blocking, and ASN reputation pulled from a third-party feed.
- Live admin in Vue.js — operations team can flip rules, replay blocked traffic, and unblock users without touching config files.
- Detailed event log with attack-fingerprint clustering so the team can see “all of these requests are the same actor” without reading raw logs.
Outcome
The Direct apps stopped getting paged for credential-stuffing campaigns within the first two weeks of rollout. The ops team went from triaging blocks via SSH to running everything from the admin panel. Reusable across the rest of the ecosystem with one config file per app.
Have a project like this?
Tell us about it. We respond within one working day with a written estimate or a calendar link.