New in Symfony 6.4: Security Improvements

Badge Resolution in the Profiler

Contributed by
Hubert Lenoir

in #51585.

The Symfony Profiler provides detailed information about the security such as
the user token details, the security listeners related to the request and the
access decision log.

In Symfony 6.4 we’re improving it to also display how the security badges are
resolved. In this example, the user input their credentials wrong, so the
PasswordCredentials badge is not resolved correctly:

In this other example, user authentication was successful:

Safer Security Logs

Contributed by
Florent Morselli

in #51434.

When using the login throttling in your application (via the RateLimiter component)
Symfony generates certain log messages. Those logs include information such as
the IP address the the username. These could be considered as PII (Personally
Identifiable Information) ad that’s why we’re hashing them with a cryptographic
secure hash function.

You only need to upgrade to Symfony 6.4 or higher and Symfony will start hashing
the IP address and the username using the kernel secret of your application.

Arrays of Patterns in Firewalls

Contributed by
Grégoire Pineau

in #51128.

The pattern option of the security firewall defines the regular expression
used to decide if the incoming request matches the firewall. Sometimes, a single
firewall matches multiple paths, which can make the regular expression hard to
maintain. In Symfony 6.4, we’re improving this option so you can also pass
an array of regular expressions:

# config/packages/security.html.twig
– pattern: „^/(register|documentation)$“
+ pattern:
+ – „^/register$“
+ – „^/documentation$“

Sponsor the Symfony project.

Symfony Blog

Read More

Generated by Feedzy