Requires Magento 2.3+, PHP 7.2+ and an eComscan account (Advanced or up).

You can configure your license key and other settings via System → Configuration → Security → Sansec Shield.

IPs listed under Whitelisted IP Addresses bypass all Shield checks. Matching is performed against the connecting peer (REMOTE_ADDR) only; proxy-forwarded headers such as X-Forwarded-For and CF-Connecting-IP are intentionally ignored because they are client-controlled and can be spoofed.

If your store sits behind a reverse proxy or CDN, configure your webserver to rewrite the trusted proxy header into REMOTE_ADDR (ngx_http_realip_module on nginx, mod_remoteip on Apache). Once REMOTE_ADDR reflects the real client IP, the whitelist will match it correctly.

Test it by visiting your store and add ?SANSEC-SHIELD-TEST to your URL, it should give you "permission denied". You'll see your first blocked attack appear instantly on your Shield Dashboard. If you do not want reports, you can disable it with:

You can always view detailed logs in var/log/sansec_shield.log.

See for FAQs our Shield guide.

Shield rules update automatically through the standard Magento cron mechanism. If you are running a standard cron setup (bin/magento cron:run), no further action is required.

If you only run specific cron groups (bin/magento cron:run --group <group name>), make sure to include a cron for the sansec group as well.

You can verify Shield rules sync every 5 minutes in var/log/sansec_shield.log.

The Sansec Shield module is deliberately kept stable and there is no need to monitor for updates. If an essential new version is released, we will notify you via email.

To check your current version:

To upgrade to the latest version:

If you get this error when running bin/magento sansec:shield:sync-rules, even though the license key is already configured, flush the Magento cache:

Then retry the sync command.

Run the Magento dependency injection compiler:

Shield's only dependency is magento/framework, so it will not pull in or force any additional upgrades. If you see many packages being upgraded, your vendor/ directory was out of sync with composer.lock. Running composer require synced your vendor directory to match.

To avoid this, revert composer.lock to a version that matches your current vendor directory before installing Shield:

If installing via Composer is not an option, you can copy the source files directly into app/code/Sansec/Shield, though you will need to handle updates manually from that point on.

Magento's cron:install resolves symlinks to their real path, so after a new deployment the crontab still points to the old release directory. Ensure that the crontab uses your stable symlink (e.g. /data/web/current/bin/magento) instead.

Sansec Shield is published under the liberal MIT license.