The latest articles on Forem by AuthVolt (@authvolt). https://forem.com/authvolt https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3872186%2F10d21cb9-12c0-4dc8-ba5b-515435e785fe.png https://forem.com/authvolt en AuthVolt Fri, 10 Apr 2026 17:00:34 +0000 https://forem.com/authvolt/how-i-built-a-7-layer-security-stack-for-a-software-licensing-api-30ah https://forem.com/authvolt/how-i-built-a-7-layer-security-stack-for-a-software-licensing-api-30ah <p>How I built a 7-layer security stack for a software licensing API</p> <h2> The Problem </h2> <p>If you build desktop software and sell it, you need a way to verify that the person running your app actually paid for it. The typical solution: license keys + an API that validates them.</p> <p>But a simple "check key against database" endpoint gets cracked in hours. Replay attacks, shared keys, spoofed hardware IDs, brute-force attempts — the attack surface is massive.</p> <p>I needed something better. So I built AuthVolt (<a href="https://authvolt.net" rel="noopener noreferrer">https://authvolt.net</a>) with 7 independent security layers that every API request must pass through.</p> <h2> The Architecture </h2> <h3> Layer 1: Perimeter Firewall </h3> <p>Before any application code runs, incoming requests are checked against:</p> <ul> <li>Blocked IP addresses and CIDR ranges</li> <li>Country-level geo-blocking</li> <li>Banned user-agent patterns</li> </ul> <p>This is pure filtering — no business logic, no database queries. Malicious traffic is dropped at the edge.</p> <h3> Layer 2: Adaptive Rate Limiting </h3> <p>Every action has its own rate limit bucket, keyed by <code>IP + action_type</code>.</p> <p>Why per-action? Because a failed login attempt shouldn't block the same IP from registering. And a registration shouldn't affect API authentication requests.</p> <p>Progressive throttling: first offenses get slowed down, repeat offenders get temporary bans.</p> <h3> Layer 3: Bot Detection </h3> <p>Automated scripts, headless browsers, and credential-stuffing tools are identified by behavioral patterns. Suspicious requests are challenged (CAPTCHA or math verification) before reaching any auth logic.</p> <h3> Layer 4: Deep Payload Inspection </h3> <p>Every request body is analyzed across 16+ attack categories:</p> <ul> <li>SQL injection patterns</li> <li>XSS payloads</li> <li>Path traversal attempts</li> <li>Deserialization exploits</li> <li>Command injection</li> <li>And more</li> </ul> <p>This runs on every request, not just auth endpoints.</p> <h3> Layer 5: HWID Verification </h3> <p>License keys are bound to a cryptographic hardware fingerprint. The client app collects hardware identifiers (CPU, motherboard, disk serial, etc.), hashes them, and sends the HWID with every auth request.</p> <p>If the HWID doesn't match what's registered — the key is rejected instantly. Shared keys become worthless.</p> <h3> Layer 6: Endpoint Hardening (Enterprise) </h3> <p>Enterprise-tier endpoints use:</p> <ul> <li>Custom URL paths (no standard <code>/api/auth</code> to discover)</li> <li>Dynamic routing that changes on configuration</li> <li>Response encryption</li> </ul> <p>Static analysis of the binary won't reveal the endpoint. Packet sniffing won't reveal the response format.</p> <h3> Layer 7: Continuous Monitoring </h3> <p>Every authentication event is logged with:</p> <ul> <li>Timestamp, IP, user-agent</li> <li>HWID fingerprint</li> <li>License key used</li> <li>Result (success/fail/blocked)</li> <li>Which security layer rejected it (if applicable)</li> </ul> <p>Anomalous patterns trigger alerts. If one key suddenly authenticates from 50 different IPs — you know immediately.</p> <h2> Key Security Decisions </h2> <p><strong>Anti-timing attacks on login:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Even if user doesn't exist, run password_verify against a dummy hash</span> <span class="c1">// This prevents timing-based username enumeration</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$user</span><span class="p">)</span> <span class="p">{</span> <span class="nb">password_verify</span><span class="p">(</span><span class="nv">$password</span><span class="p">,</span> <span class="s1">'$2y$12$dummy.hash.here'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Per-account lockout with sliding window:</strong><br> Instead of permanent lockouts (which become a DoS vector), I use a 30-minute sliding window. 5 failed attempts in 30 minutes = temporary lock. Window resets naturally.</p> <p><strong>Constant-time token comparison:</strong><br> All CSRF and session token comparisons use <code>hash_equals()</code> — never <code>===</code> or <code>strcmp()</code>.</p> <h2> Results </h2> <ul> <li>Auth latency: &lt;50ms per request</li> <li>Zero framework dependencies (pure PHP 8 + MySQL)</li> <li>Runs on any standard hosting</li> <li>Full admin panel with 30+ management pages</li> </ul> <p>The platform is live at <a href="https://authvolt.net" rel="noopener noreferrer">https://authvolt.net</a> with a free tier if you want to see it in action.</p> <p>What security measures would you add? What do you think is overkill? I'd love to hear from developers who've dealt with similar problems.</p> security php api webdev