We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x | ✅ |
We take the security of Laravel SISP seriously. If you discover a security vulnerability, please follow these guidelines:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
- Exploit the vulnerability beyond what is necessary to demonstrate it
- Email us directly at kidiatoliny@akira-io.com with:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if available)
-
Allow reasonable time for us to respond and address the issue before public disclosure
-
Act in good faith - avoid privacy violations, data destruction, or service interruption
- Initial Response: Within 48 hours of report
- Status Update: Within 7 days with assessment and timeline
- Resolution: Depends on severity and complexity
Environment Variables
Never commit sensitive credentials to version control:
SISP_POS_ID=your_pos_id
SISP_POS_AUT_CODE=your_authorization_code
SISP_MERCHANT_ID=your_merchant_idRate Limiting
Enable and configure rate limiting to prevent abuse:
'rate_limiting' => [
'enabled' => true,
'per_ip' => [
'enabled' => true,
'limit' => 100,
'window_seconds' => 3600,
],
],Security Features
Enable comprehensive security checks:
'security' => [
'collect_metadata' => true,
'detect_vpn' => true,
'detect_proxy' => true,
'calculate_risk_score' => true,
'block_vpn_proxy' => true,
],Encryption
Sensitive transaction payload data is automatically encrypted using the EncryptsAttributes trait. Ensure your
APP_KEY is properly configured and kept secure.
Database Security
- Use parameterized queries (handled by Eloquent)
- Implement proper database user permissions
- Enable SSL for database connections in production
- Regularly backup transaction data
Fingerprint Validation
Always validate payment response fingerprints:
use Akira\Sisp\Facades\Sisp;
use Akira\Sisp\ValueObjects\CallbackPayload;
$payload = CallbackPayload::from($request->all());
if (!Sisp::validateCallback($payload)) {
throw new InvalidPaymentResponseException();
}Webhook Protection
The package includes middleware to prevent duplicate callbacks:
Route::post('sisp/callback', CallbackController::class)
->middleware(PreventDuplicateCallback::class);HTTPS Only
Always use HTTPS in production:
URL::forceScheme('https');CORS Configuration
Restrict CORS if using API endpoints:
'allowed_origins' => [env('APP_URL')],Amount Validation
Validate amounts server-side before processing:
public function rules(): array
{
return [
'amount' => ['required', 'numeric', 'min:1', 'max:1000000'],
];
}Transaction Limits
Configure daily and monthly transaction limits:
'security' => [
'max_amount_per_day' => 100000,
'max_amount_per_month' => 500000,
],Middleware Protection
All payment routes are protected with middleware:
Route::post('sisp/payment', PaymentController::class)
->middleware(ProtectPaymentRoute::class);Authentication
Implement authentication for sensitive operations:
Route::post('sisp/refund', RefundTransactionController::class)
->middleware(['auth', 'can:refund-transactions']);Security Events
Monitor for suspicious activity:
- Multiple failed payment attempts
- High-risk score transactions
- VPN/proxy usage patterns
- Blacklist hits
Audit Trail
All transactions are logged with:
- Request metadata (IP, user agent, geolocation)
- Timestamps
- Status changes
- Refund and cancellation history
Data Retention
Configure appropriate data retention policies:
- Keep transaction records as required by law
- Implement data deletion procedures
- Anonymize old customer data
GDPR Compliance
For EU customers:
- Implement data export functionality
- Provide data deletion capabilities
- Obtain explicit consent for data collection
- Document data processing activities
PCI DSS
- Never store full card numbers
- Never store CVV codes
- Let SISP handle card data
- Use tokenization when available
Updates
- Keep Laravel SISP updated to the latest version
- Monitor security advisories
- Update dependencies regularly
- Run
composer auditto check for vulnerable dependencies
Testing
- Run security-focused tests
- Perform penetration testing periodically
- Review access logs regularly
- Test backup and recovery procedures
If a security incident occurs:
- Isolate - Contain the incident immediately
- Assess - Determine the scope and impact
- Notify - Contact affected parties as required
- Document - Record all details and actions taken
- Review - Conduct post-incident analysis
- Improve - Update security measures
- Rate Limiting: Prevent brute force attacks
- Blacklist Management: Block malicious actors
- Fingerprint Validation: Verify payment responses
- Metadata Collection: Track suspicious behavior
- Risk Scoring: Identify high-risk transactions
- VPN/Proxy Detection: Flag anonymous transactions
- Duplicate Prevention: Avoid processing same callback twice
Extend security by implementing custom checks:
// Custom security action
class CustomSecurityCheckAction
{
public function handle(Request $request): void
{
// Your custom security logic
}
}This package uses trusted dependencies:
spatie/laravel-package-tools- Package scaffoldingstevebauman/location- Geolocation detectionakira/laravel-pdf-invoices- Invoice generation
All dependencies are regularly audited for security vulnerabilities.
We appreciate security researchers who:
- Follow responsible disclosure practices
- Give us time to address issues before public disclosure
- Provide detailed reports
- Suggest remediation when possible
Security contributors will be acknowledged in our release notes (unless they prefer to remain anonymous).
For security concerns, contact:
Email: kidiatoliny@akira-io.com
PGP Key: Available upon request
Last Updated: December 2025