New in Symfony 6.4: Security Improvements
Badge Resolution in the Profiler
Contributed by
Hubert Lenoir
in #51585.
The Symfony Profiler provides detailed information about the security such as
the user token details, the security listeners related to the request and the
access decision log.
In Symfony 6.4 we’re improving it to also display how the security badges are
resolved. In this example, the user input their credentials wrong, so the
PasswordCredentials badge is not resolved correctly:
In this other example, user authentication was successful:
Safer Security Logs
Contributed by
Florent Morselli
in #51434.
When using the login throttling in your application (via the RateLimiter component)
Symfony generates certain log messages. Those logs include information such as
the IP address the the username. These could be considered as PII (Personally
Identifiable Information) ad that’s why we’re hashing them with a cryptographic
secure hash function.
You only need to upgrade to Symfony 6.4 or higher and Symfony will start hashing
the IP address and the username using the kernel secret of your application.
Arrays of Patterns in Firewalls
Contributed by
Grégoire Pineau
in #51128.
The pattern option of the security firewall defines the regular expression
used to decide if the incoming request matches the firewall. Sometimes, a single
firewall matches multiple paths, which can make the regular expression hard to
maintain. In Symfony 6.4, we’re improving this option so you can also pass
an array of regular expressions:
# config/packages/security.html.twig
security:
firewalls:
no_security:
– pattern: „^/(register|documentation)$“
+ pattern:
+ – „^/register$“
+ – „^/documentation$“
Symfony Blog