Note: This repo contains the core of the framework. The application template can be found at
webfiori/app.
WebFiori is a modular, object-oriented PHP framework designed for building secure web applications and APIs. It provides a complete toolkit β routing, middleware, authorization, database management, job queues, and more β while remaining lightweight and free of heavy external dependencies.
- PHP 8.1 or later
- Extensions:
json,mbstring,fileinfo,openssl - Composer
| PHP Version | Status |
|---|---|
| 8.1 |  |
| 8.2 |  |
| 8.3 |  |
| 8.4 |  |
| 8.5 | |
composer create-project webfiori/app my-project
cd my-project
php -S localhost:8080 -t public- Route groups, URI parameters, and middleware assignment
- OpenAPI 3.1 specification generation from annotated controllers
- CSRF protection middleware with automatic token injection
- CORS middleware with per-route configuration
- Rate limiting with configurable windows and trusted IPs
- Session encryption at rest (AES-256-GCM)
- Maintenance mode with IP allowlisting and Retry-After headers
- Role-Based Access Control (RBAC) with role inheritance
- Attribute-Based Access Control (ABAC) with policy evaluation
- Database-backed or in-memory storage for roles and permissions
#[PreAuthorize]and#[RequiresAuth]attributes for declarative access control
- Query builder supporting MySQL, MSSQL, and SQLite
- Schema migrations with run, rollback, dry-run, fresh, and status commands
- Database seeders
- Connection management with environment variable resolution
- Priority-based execution with dependency resolution
- Before, after, and after-send lifecycle hooks
- Middleware groups for bulk assignment to routes
- Built-in: session, CSRF, CORS, rate limiting, caching, maintenance mode, authorization
- Dispatching with priority and delayed execution
- Automatic retry with configurable attempts and backoff
- Payload encryption (AES-256-GCM) via environment key
- Failed job tracking and retry commands
- Pluggable storage backends via
QueueStorageinterface
- Container with
bind(),singleton(), andinstance()registration - Automatic constructor dependency resolution
- Integrated with framework core services
- CRON-based background task execution
- Scheduler daemon for development environments
- Task arguments and conditional execution
- Health check system with HTTP endpoint (200/503)
- Built-in checks for cache and storage availability
- Extensible via
HealthCheckInterface - Structured file-based logging with daily rotation and level filtering
- Internationalization (i18n) with LTR/RTL support
- Theming system for multiple UI variants
- Programmatic DOM manipulation in PHP
- Templated HTML email delivery with attachments
- CLI scaffolding commands for controllers, middleware, migrations, and more
- Event dispatcher for decoupled application components
- Pluggable cache layer with full-response and HTTP caching (ETag/304)
- Environment variable resolution in configuration (
env:prefix) - File upload handling with validation
WebFiori is composed of independent, interface-driven packages. Storage backends for sessions, cache, queues, and authorization are pluggable β implement the interface and swap the default.
Request lifecycle: Request β Middleware (before) β Route Dispatch β Middleware (after) β Response β Middleware (afterSend)
| Library | Build | Latest |
|---|---|---|
| HTTP |  |
 |
| Database |  |
 |
| CLI |  |
 |
| Cache |  |
 |
| UI |  |
 |
| Mailer |  |
 |
| File |  |
 |
| Json |  |
 |
| Collections |  |
 |
| Error Handler |  |
 |
| Container |  |
 |
| Queue |  |
 |
| Event |  |
 |
| Log |  |
 |
See CONTRIBUTING.md for guidelines.
To report security vulnerabilities, please email ibrahim@webfiori.com. See SECURITY.md for supported versions.
MIT β see LICENSE for details.