php-router
๐ก v.php โ Enterprise Secure PHP Router
Zero Trust Routing โข Signed URLs โข Anti-Replay โข Bot Defense โข Stealth Security
๐ What is v.php?
v.php is a high-security, single-file PHP router designed for hostile environments.
It transforms unsafe direct access:
/dashboard.php
into a fully verified, signed, behavior-protected request pipeline:
User โ Signed URL โ Security Engine โ Safe Resource Access
Every request is treated as untrusted โ and must prove legitimacy.
๐ธ Control Panel
The built-in control panel provides:
- Route analytics and usage tracking
- Bot activity and IP monitoring
- Route management system
- Access and security logs
- IP ban / unban controls
Access panel:
/?__cp__
๐ฅ Demo (Request Flow)
Typical flow:
User โ Direct File Request
โ Router Intercepts
โ Signed URL Generated
โ Redirect
โ Secure Access
๐ฅ Why This Stands Out
Unlike traditional routers, v.php is built with a security-first architecture, not as an afterthought.
Core advantages:
- ๐ Cryptographically signed URLs (HMAC SHA-256)
- ๐ Replay attack prevention (session + IP binding)
- ๐ค Adaptive bot detection (behavior scoring engine)
- ๐ป Stealth banning (fake 404 responses)
- ๐ Network intelligence (ISP, VPN, hosting detection)
- โก Zero database dependency (pure JSON storage)
- ๐ Built-in control panel (no external tools)
๐ง Security Model (Zero Trust)
Request
โ
Signature Validation
โ
Token Replay Protection
โ
Rate Limiting
โ
Bot Scoring Engine
โ
Stealth Ban System
โ
Secure File Resolution
โ
Response
Each layer independently enforces security โ failure at any step stops execution.
โ๏ธ Core Features
๐ Signed URL System
- Every request must contain a valid HMAC signature
- Any tampering โ immediate rejection
- Supports short (
/?r=TOKEN) and classic URLs
๐ Replay Protection Engine
Each token is bound to:
- IP address
- Session ID
- User-Agent
Prevents:
- Link sharing abuse
- Token reuse
- Session hijacking
๐ค Adaptive Bot Detection
| Event | Score |
|---|---|
| Invalid signature | +10 |
| Replay attempt | +15 |
| Device mismatch | +3 |
| Token leak | +20 |
๐ป Stealth Ban System
Blocked users receive:
HTTP 404 Not Found
No indication of restriction.
๐ Network Intelligence Layer
Detects:
- Country & City
- ISP
- VPN / Proxy
- Hosting network
- Mobile network
๐ Built-in Control Panel
/?__cp__
Provides monitoring, logs, and route management.
๐ Architecture Philosophy
Never trust the request. Always verify.
- No direct file execution
- Single entry point
- Behavior-driven validation
- Minimal attack surface
๐ Project Structure
project-root/
v.php
.htaccess
error.html
cp.jpeg (Demo)
cp.gif (Demo)
.runtime/
m.json
u.json
b.json
r.json
k.json
x.json
a.log
s.log
โ๏ธ Configuration (Inside v.php)
define('SIGN_SECRET', 'CHANGE_THIS');
define('SIGNED_TTL', 7200);
define('URL_MODE', 'short');
define('CP_PASSWORD', 'admin1234');
๐ SIGN_SECRET
- Must be strong and random
- Used for signing
- Changing it invalidates all links
๐ URL Modes
| Mode | Example |
|---|---|
| short | /?r=TOKEN |
| classic | /v.php?id=1&sig=... |
๐ Auto-Signing Flow
User โ direct file
โ router intercepts
โ signed URL generated
โ redirect โ secure access
๐ฆ Rate Limiting
40 requests / 60 seconds per IP
๐ Logging System
Access Log
Tracks usage and behavior
Security Log
Tracks attacks and blocks
๐ Installation
1. Upload Files
v.php
.htaccess
error.html
2. Create Runtime Directory
mkdir .runtime
chmod 777 .runtime
3. Configure
- Set
SIGN_SECRET - Change
CP_PASSWORD
4. Done โ
๐ Apache Setup
- Route all traffic through router
- Block
.runtimeaccess - Enforce HTTPS
โก Performance Design
- No database
- JSON-based storage
- Automatic cleanup
- Lightweight execution
๐งช Ideal Use Cases
- Secure dashboards
- Private file delivery
- Anti-leak systems
- API protection
๐ฌ Contact
Email: psvineet@zohomail.in
๐ License
MIT License
โญ Support
Give a star โญ if you find this useful.