We would like to protect Laravel site. Laravel Vapor employs AWS WAF, but configuration is limited
What we would like to achieve:
- Ability to temporarily add an IP address to AWS WAF from Laravel code.
e.g. something throws SuspiciousOperationException and we block that IP for 5 minutes using AWS WAF. I guess there should be some sort of an API call from PHP to AWS WAF
- Ability to filter method spoofing via WAF, not allowing to reach PHP code
e.g. we get attempts where $method is replaced by ../etc/passwd
in /var/task/vendor/symfony/http-foundation/Request.php (line 1228)
if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'], true)) {
return $this->method = $method;
}
if (!preg_match('/^[A-Z]++$/D', $method)) {
throw new SuspiciousOperationException(sprintf('Invalid method override "%s".', $method));
}
Is this viable? Cannot find anything related to this subject.