University Student in Cameroon Builds AI WAF for PHP/Laravel With Explainable Security Dashboard
These articles are AI-generated summaries. Please check the original sources for full details.
Built an AI-Powered WAF for PHP/Laravel Apps in Africa — Here’s What It Catches
A final-year computer science student from Cameroon, Nchiminyi, launched Kriosa, an AI-powered Web Application Firewall for PHP and Laravel apps. The tool uses a hybrid ML engine combining Random Forest and Neural Networks to detect over 25 attack vectors including SQL injection, XSS, and malicious bots.
Why This Matters
Most security tools for PHP developers are either too expensive (enterprise WAFs cost hundreds per month) or too complex for developers in Africa building real products on tight budgets. When sites get hacked, developers have no affordable way to understand what happened or prevent recurrence. Kriosa addresses this gap with a free Starter tier and an Explainable AI dashboard that reveals exactly why each request was blocked, making security educational and accessible—not just automated.
Key Insights
- Kriosa uses a hybrid ML engine combining Random Forest and Neural Networks for threat detection and blocking, as per 2026 documentation.
- The tool includes an Explainable AI dashboard that shows why a request was blocked, including feature triggers, confidence scores, and matched attack patterns.
- Kriosa detects over 25 attack vectors including SQL injection, XSS, path traversal, malicious bot detection, and rate limiting abuse.
- A fail-open mechanism ensures apps continue to work if Kriosa is unreachable—a deliberate design choice for reliability.
- The Starter tier is free with no credit card or enterprise contract required, targeting developers building on a real budget.
Working Examples
Installation and middleware setup for Laravel
composer require kriosa-ai/kriosa-php
KRIOSA_API_KEY=sk_your_api_key_here
KRIOSA_TIMEOUT=5
KRIOSA_DEBUG=false
KRIOSA_BADGE=true
// config/kriosa.php
return [
'api_key' => env('KRIOSA_API_KEY'),
'timeout' => env('KRIOSA_TIMEOUT', 5),
'debug' => env('KRIOSA_DEBUG', false),
];
// app/Http/Middleware/KriosaSecurity.php
use Closure;
use Kriosa;
use Illuminate\Http\Request;
class KriosaSecurity
{
public function handle(Request $request, Closure $next)
{
$apiKey = config('kriosa.api_key');
if (!$apiKey) {
return $next($request);
}
try {
$kriosa = new Kriosa($apiKey, [
'timeout' => config('kriosa.timeout', 5),
'debug' => config('kriosa.debug', false),
]);
if (!$kriosa->protect()) {
return response('Access denied', 403);
}
} catch (\Exception $e) {
report($e);
}
return $next($request);
}
}
// app/Http/Kernel.php
protected $middleware = [
\App\Http\Middleware\KriosaSecurity::class,
];
// OR apply to specific routes only:
// routes/web.php
Route::middleware(['kriosa'])->group(function () {
Route::get('/dashboard', [DashboardController::class, 'index']);
});
Installation and integration for standard PHP apps
composer require kriosa-ai/kriosa-php
// Add this to your index.php or front controller
require_once __DIR__ . '/kriosa.php'; // for downloaded
require_once 'vendor/autoload.php'; // for composer install
$apiKey = getenv('KRIOSA_API_KEY') ?: 'YOUR_API_KEY_HERE';
try {
$kriosa = new Kriosa($apiKey, [
'timeout' => 3,
'debug' => false,
'fail_closed' => false,
'show_badge' => true,
]);
if (!$kriosa->protect()) {
header('X-Kriosa-Blocked: true');
http_response_code(403);
exit('Access Denied');
}
} catch (Exception $e) {
error_log('Kriosa Security Error: ' . $e->getMessage());
}
// Your application continues safely here...
Practical Applications
- Laravel developers can integrate Kriosa as global middleware in 30 seconds via Composer using the provided middleware class, protecting all inbound request routes automatically.
- Standard PHP projects without Laravel can add the SDK to index.php or a front controller to perform real-time request scanning before core application logic executes.
- Common anti-pattern is relying solely on pattern-based or regex WAFs without understanding why a request was blocked—Kriosa’s Explainable AI dashboard provides specific feature-level reasoning to educate developers.
- Another pitfall is failing to implement fail-open logic in security stacks, which can break apps during service outages; Kriosa defaults to fail-open when unreachable.
References:
- https://dev.to/kriosa/built-an-ai-powered-waf-for-phplaravel-apps-in-africa-heres-what-it-catches-4fgf
- kriosa.com
- kriosa.com/documentation.php
Continue reading
Next article
Catching AI Red-Handed in Financial Data: Deterministic Guardrails for Zero-Tolerance Compliance
Related Content
The Backdoor in Your Browser: Why You Are the Product (And How to Opt Out)
Google Chrome powers ~65% of web traffic via Chromium; modern browsers embed surveillance masked as privacy features.
Strategic Use of Multiple Gmail Accounts for Marketing and Workflow Management
Buying PVA Gmail accounts enhances deliverability and security for marketers by leveraging aged accounts with established trust metrics to bypass automated filters.
Backend Security in the AI Era: Why 'It Boots' Is Not Enough
DaloyJS 1.0.0-beta.0 launches with secure defaults to counter AI-generated backend code vulnerabilities.