SYMFONY CONFIGURATION

CHEAT SHEET
USE STRONG DATABASE CREDENTIALS
Do not use the root user for your database connection and
choose a strong password that is long and secure.
Create different users for different applications.
Use environment variables for secrets and credentials.
A database, whether as a server or SQLite
binary, often contains the most sensitive
data of your users and customers. You have
to make sure that this data is stored
securely. The first steps are secure secrets
and no default values as credentials.

config/packages/doctrine.yaml
Symfony supports .env
1 doctrine: files to easily use
2 dbal: .ENV environment variables
3 url: '%env(DATABASE_URL)%' during development.
# DATABASE_URL=mysql://non_root:[email protected]:3306/unique_db

USE BUILT-IN CSRF PROTECTION

Cross-Site Request Forgery (CSRF) is an
Enable the built-in CSRF protection globally. If necessary,
often forgotten vulnerability in web
disable protection only for specific form controller. applications. It allows attackers to
submit requests in the name of other
config/packages/framework.yaml users to impersonate their privileges.
With an activated CSRF protection, a
1 framework: secret token prevents that attackers
2 csrf_protection: true can immitate arbitrary requests.

USE A STRONG ALGORITHM FOR PASSWORDS

AND OTHER SECRETS A strong algorithm, such as bcrypt, makes
it very difficult for an attacker to
It is important that your passwords are secure, even if your deduce the plaintext password from the
database is leaked. Use a strong hashing algorithm and password hash.

never save the passwords as plaintext.

config/packages/security.yaml

1 security:
2 encoders:
3 Symfony\Component\Security\Core\User\User:
4 algorithm: bcrypt
5 cost: 15

AVOID HARDCODED CREDENTIALS

Internal and external attackers can steal hardcoded
credentials and these are hard to manage on production
systems.
Instead, manage and store your users in
a database. For this you can simply use
the FOSUserBundle, which after a simple
integration relieves you of many steps
of user administration.

config/packages/security.yaml config/packages/security.yaml

1 providers: 1 security:
2 in_memory: 2 providers:
3 memory: 3 fos_userbundle:
4 users: 4 id: fos_user.user_provider.username
5 admin:
6 password: supersecurepassword
7 roles: 'ROLE_ADMIN'
SYMFONY CONFIGURATION
CHEAT SHEET
USE DATA VALIDATION
It often helps to use annotations in
Use the input validation options of Symfony. These allow to your code. These can also be used to
check the correctness of user data in forms or database entries define validation for properties.

and to reject malicious input.

config/packages/security.yaml
RANDOM APP SECRET
1 framework:
2 validation: { enable: true } Use a long, random and
3 # or
4 validation: { enable_annotations: true }
unique string as secret.
Never use the same secret
for two different apps.
FORCE HTTPS
Always ensure that controllers that process or display user The secret is used to
data can only be accessed via a secure protocol. create unique CSRF tokens,
but it is also used for
other elements where a
config/packages/framework.yaml unique and random string is
required. The secret can
1 secure: also be stored in an env
2 path: /secure variable.
3 controller: App\Controller\MainController::secure
4 schemes: [https]

USE GLOBAL ACCESS CONTROL

Make sure to set access permissions in the global security
configuration for all controllers, following the least-privilege
design principle.
config/packages/security.yaml
Setting access rights in each indivi-
dual controller can cause you to
forget a path or controller so that
an unauthorized user can have access
to sensitive data. Allways whitelist,
not blacklist to capture all cases.

1 security:
2 access_control:
3 - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
Symfony provides NelmioCorsBundle, that
4 - { path: ^/admin, role: ROLE_ADMIN }
defines what sources are allowed. It is
5 - { path: ^/, role: ROLE_USER }
recommended to use environment variab-
les and always whitelist, not blacklist
to capture all cases.
USE CORS WITH CARE
Cross-Origin Resource Sharing helps you if you want to
load content and scripts from other servers. If you work
The allow_origin setting specifies
with CORS, use it wisely and limit it as much as you can. which sites are allowed to exchange
data with your application while using
config/packages/nelmio_cors.yaml a relaxed Same Origin Policy. An overly
broad rule can leak HTTP responses to
1 allow_origin: ['^https?://localhost(:[0-9]+)?$']
malicious sites that can then steal
sensitive data.

AVOID OUTDATED DEPENDENCIES

Use tools to continuously check your dependencies for
known and new vulnerabilities. Find out more at www.ripstech.com on
how to scan your custom Symfony code
terminal for critical security vulnerabilities
and other misconfigurations.
$ composer require sensiolabs/security-checker
$ php bin/console security:check

MORE SECURITY INSIGHTS @ RIPSTECH.COM